b'U.S. Department of Justice\nOffice of the Inspector General\nEvaluation and Inspection Division\n\n\n\n\n                          Federal Bureau of Investigation\xe2\x80\x99s\n                         Integrity and Compliance Program\n                                     November 2011\n\n\n\n\n                                      I-2012-001 \n\n\x0c                                    EXECUTIVE DIGEST \n\n\n\n      In June 2007, the Federal Bureau of Investigation (FBI) established the\nIntegrity and Compliance Program (ICP) to identify and mitigate legal\ncompliance risks within the FBI.1 The ICP is designed to proactively identify\nand correct weaknesses in policy, training, monitoring, and auditing that could\nresult in FBI employees violating the law as they conduct their work. The ICP\nis modeled on corporate compliance programs that institute systematic\nprocedures to ensure that companies adhere to the laws that govern them.\n\n       The ICP\xe2\x80\x99s goal is to prevent FBI employees from violating the laws and\npolicies that govern their work by: (1) managing the Ethics and Standards of\nConduct program (ethics program) and (2) identifying and reducing legal\ncompliance risks in operations FBI-wide and at the program level.2 The FBI\xe2\x80\x99s\nOffice of Integrity and Compliance (OIC) manages the ICP.3 The OIC\xe2\x80\x99s mission\nis to \xe2\x80\x9cdevelop, implement and oversee a program that ensures that there are\nprocesses and procedures in place that facilitate FBI compliance with both the\nletter and spirit of all applicable laws, regulations, and policies.\xe2\x80\x9d4 The purpose\nof this Office of the Inspector General (OIG) review was to evaluate the\neffectiveness of the ICP.\n\n      According to an FBI report about the ICP, the impetus for the FBI\xe2\x80\x99s\nestablishment of the ICP was a 2007 OIG report that found FBI personnel had\nnot complied with laws and policies governing the use of National Security\nLetter authority.5 The OIG report stated that the FBI issued these letters\n\n\n       1  The FBI defines a legal compliance risk as potential harm to the FBI caused by\nfailures of FBI personnel to comply with the laws and policies governing FBI operations.\n\n       2 The FBI plans to expand its bureau-wide and program-level efforts to identify and\nreduce legal compliance risks in the future to include the participation of field office personnel.\n\n       3   The ICP is not a separate office within the FBI. Except for OIC staff members who\nmanage the program full time, the remaining work of the program is conducted by FBI\nemployees and committees who do the work of the program in addition to their regular duties.\nIn this report we attribute actions to the ICP to convey that various individuals or entities are\ncollectively performing the ICP\xe2\x80\x99s functions.\n\n       4   FBI Policy Directive 0002D, FBI Integrity and Compliance Program, June 25, 2007.\n\n       5  FBI, The 2008 State of the Integrity and Compliance Program, and U.S. Department of\nJustice Office of the Inspector General, Review of the Federal Bureau of Investigation\xe2\x80\x99s Use of\nNational Security Letters (March 9, 2007). Under five statutory provisions, the FBI can use\nNational Security Letters to obtain \xe2\x80\x93 without a court order \xe2\x80\x93 records such as customer\n                                                                                          (Cont\xe2\x80\x99d.)\nU.S. Department of Justice                                                                 i\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cwithout proper authorization, made requests outside of the scope allowed by\nstatute, and conducted unauthorized collection of telephone or Internet e-mail\ntransactional records.\n\n       At the FBI-wide level, FBI executives identify, analyze, and mitigate legal\ncompliance risks that affect the FBI as a whole and that may involve\ncoordination between more than one functional area within, and sometimes\noutside of, the FBI to resolve. At the FBI-wide level, FBI executives identify and\ndirect actions through a series of steps: risk identification, risk prioritization\nand selection, risk analysis, risk mitigation, and audit. OIC staff members\nmanage each step of this process, and different FBI committees and employees\nprovide the subject matter expertise needed at each step. In addition, the FBI\nInspection Division audits the steps taken to mitigate the risks to determine\nwhether the identified risks actually have been reduced.\n\n       At the program level, managers of the FBI\xe2\x80\x99s 53 major programs identify\nand mitigate risks that do not involve coordination outside of their program\nareas to resolve. These managers are responsible for programs that encompass\nthe FBI\xe2\x80\x99s operations and administrative functions, ranging from\ncounterintelligence to violent crime and from information technology\nmanagement to fleet management and transportation services.6 Managers of\nthe major programs identify their highest priority compliance risks and submit\nreports twice a year to the OIC and to their divisions\xe2\x80\x99 Assistant Directors that\ninclude descriptions of the identified risks and the program managers\xe2\x80\x99 plans for\nmitigating them. The OIC reviews these reports to make sure that the issues\nidentified are legal risks and that the plans to address the risks are realistic\nand can be reasonably expected to reduce the risks. According to the template\nprogram managers use in developing risk mitigation plans, their process\nshould also include an audit or a way to monitor the mitigation steps.\n\n      Additionally, the OIC manages the FBI\xe2\x80\x99s ethics program, which entails\nproviding guidance and training to employees that emphasize the importance of\ncomplying with laws and policies that govern their work and the importance of\nreporting non-compliance with those laws and policies. The OIC is also\n\n\n\ninformation from telephone companies, Internet service providers, financial institutions, and\nconsumer credit companies.\n\n       6  While there are many programs in the FBI, this review focused on the FBI\xe2\x80\x99s 53 major\nprograms because these are the only programs the ICP requires to report to the OIC. The OIC\ndetermined the FBI\xe2\x80\x99s 53 major programs by reviewing budget data, consulting with the FBI\xe2\x80\x99s\nInspection Division to identify programs that are required to periodically report on their\nperformance to that division, and after review and approval by senior management.\n\n\nU.S. Department of Justice                                                             ii\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cresponsible for maintaining open communication channels for FBI employees\nto report compliance concerns and for assessing the ICP.\n\nRESULTS IN BRIEF\n\n       Through the ICP, the FBI implemented strategies that have started to\nreduce legal compliance risk in FBI operations. We found that, since the ICP\xe2\x80\x99s\ninception in 2007, the ICP has used a variety of sources to identify 206 FBI-\nwide potential risk indicators and 112 program-level risks.7 As will be\nexplained below, these risks have included potential non-compliance in the\nFBI\xe2\x80\x99s use of administrative subpoenas and confidential human sources, as well\nas potential criticism and litigation over backlogs of DNA samples. In addition,\nthe FBI has taken steps to reduce risk by implementing mitigation plans for 13\nFBI-wide risks and 16 program-level risks.8 We reviewed 11 of the 13 FBI-wide\nplans and determined that the process the ICP used to develop them addressed\nthe areas of compliance risk and involved relevant stakeholders. Based on the\nthoroughness of these plans, we believe that if the FBI implements the actions\nas described, it is reasonable to expect that the actions will reduce compliance\nrisk in those areas. In addition, there were five risk areas where we assessed\nevidence about whether compliance risk was reduced and found that it was\nreduced in three of these areas. Further, the OIC manages and has enhanced\nthe FBI\xe2\x80\x99s ethics program and promotes reporting of compliance concerns.\n\n       However, we identified areas for improvement in the ICP that, if\naddressed, could enhance its effectiveness and sustainability. We found that\nmost FBI executives and managers no longer consistently use the risk\nassessment methodology designed for the ICP to evaluate identified risks.\nCurrently, risk assessment and selection is informal, unsystematic, and\nundocumented, resulting in ICP participants not necessarily considering the\nfactors identified by the FBI to prioritize risk, which can result in a\nprioritization inconsistent with the program\xe2\x80\x99s established goals.\n\n      Further, at the program level, there is no verification that mitigation\nactions are complete and effective in reducing compliance risk. Because of this\nlack of monitoring, the FBI cannot be sure that it has successfully\nimplemented the risk reduction strategies for the selected risks. Also, the ICP\nhas not yet been fully implemented in field divisions and, as a result, the field\n\n       7 Before Executive Management Committees review potential risks and determine\nwhether they may be a concern for the FBI, the FBI considers them \xe2\x80\x9cpotential risk indicators.\xe2\x80\x9d\n\n       8  According to the FBI, since the ICP\xe2\x80\x99s inception, at the FBI-wide level, 26 risk\nmitigation plans have been developed and approved to address identified risks but only 13 have\nbeen implemented.\n\n\nU.S. Department of Justice                                                           iii\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cdivisions\xe2\x80\x99 role in risk identification and reporting to the OIC is undeveloped.\nFinally, the OIC has not established a way to evaluate the ICP\xe2\x80\x99s overall\neffectiveness or the effectiveness of its processes. Without evaluation, the OIC\ncannot identify where changes in the program should occur or ensure the\nsustainability of the ICP.\n\n       The following sections discuss our findings in more detail.\n\nThrough the ICP, the FBI implemented strategies that have started to\nreduce compliance risk in FBI operations and activities.\n\n      The ICP\xe2\x80\x99s identification and mitigation of legal compliance risks before\nthey develop into problems have the potential to significantly reduce legal\ncompliance risk in the FBI operations. Prior to the ICP, the FBI identified and\naddressed compliance risks unsystematically through efforts that were generally\nstove-piped within specific divisions. Now the FBI addresses compliance risks\nsystematically and in a way that involves relevant stakeholders and subject\nmatter experts within and outside of the FBI. The following two sections discuss\nthe ICP\xe2\x80\x99s efforts to reduce legal compliance risk in more detail.\n\nThe ICP has identified risks using a variety of sources.\n\n      We found that the ICP uses a variety of sources at both the FBI-wide and\nthe program levels to identify compliance risks, as FBI policy requires.9\nSources include FBI executives, program managers, employees, and open\nsource information such as newspaper articles and government oversight\nreports. The ICP\xe2\x80\x99s establishment of a systematic process for risk identification\nhas improved the FBI\xe2\x80\x99s ability to identify potential compliance risks and senior\nmanagement\xe2\x80\x99s knowledge of compliance weaknesses. According to the FBI\nDirector, one of the most important aspects of the ICP is that it identifies gaps\nand vulnerabilities.\n\n       At the FBI-wide level, there are five Executive Management Committees\nthat identify and select risks to mitigate. Each committee identifies and selects\nrisks that pertain to its functional branch. The five Executive Management\nCommittees corresponding with the FBI\xe2\x80\x99s branches are administrative;\ncriminal, cyber, response, and services; information technology; national\nsecurity; and science and technology.10 Each committee is chaired by the\n\n       9    FBI Policy Directive 0002D, FBI Integrity and Compliance Program, June 25, 2007.\n\n       10 The administrative Executive Management Committee is made up of the Human\nResources Branch and various entities in the FBI Director\xe2\x80\x99s Office with administrative\nresponsibilities.\n\n\nU.S. Department of Justice                                                           iv\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cExecutive Assistant Director in charge of that branch and includes the\nAssistant Directors in charge of the divisions within that branch. The\ncommittees meet quarterly to discuss the progress toward mitigating previously\nidentified risks that were selected for mitigation and to identify new risks to\naddress.\n\n       FBI executives told us that they identified risks based on knowledge of\ntheir branches and through consultation with the managers within their\nbranches and divisions. In addition, the OIC provides FBI executives with\nLeading Risk Indicator Reports that summarize the risks the OIC staff compile\nfrom its own research of open source information, government reports, and\nnew regulations, and from risks that individual FBI employees and employee\ngroups report to the OIC. From the ICP\xe2\x80\x99s inception in 2007 to August 2011,\nthe FBI identified 206 indicators of potential FBI-wide risk to be considered by\nthe 5 Executive Committees and selected 50 of those risks for analysis and\npotential mitigation.\n\n       At the program level, the managers in charge of the 53 major programs\nare required to determine their highest priority risk within their programs and\nreport their selections to the OIC in bi-annual reports. The programs that are\nrequired to participate span 20 different FBI divisions and all 5 of the FBI\xe2\x80\x99s\nfunctional branches. In a sample of bi-annual reports covering actions\ninitiated before or during the reporting period of December 2009 to June 2010,\nwe found that 44 program areas reported program risks. Of the nine other\nprograms, the OIC had exempted three from reporting program risks. The\nremaining six program area managers had not submitted reports. In these\ninstances, the OIC directed managers to identify and submit risks \xe2\x80\x9cin\naccordance with FBI policy\xe2\x80\x9d in their next bi-annual reports.\n\nThrough the ICP, the FBI took steps to reduce legal compliance risk by\nimplementing mitigation plans.\n\n       The ICP has implemented mitigation plans at both the FBI-wide and\nprogram levels. At the FBI-wide level, the ICP implemented 13 mitigation\nplans. We reviewed 11 of these plans.11 Five of the implemented plans had\nbeen audited. We found that the mitigation steps the FBI implemented for\nthree of the five audited plans sufficiently mitigated the risks, but additional\nefforts were required to completely mitigate the other two plans.12 Although\n\n       11  We did not review 2 of the 13 implemented mitigation plans because they contained\nclassified material, and we determined that access to that material was not essential to our\nreview.\n        12 We could not conclude that the FBI reduced actual non-compliance because it did\n\nnot establish baselines of non-compliance before implementing mitigation steps that we could\n                                                                                         (Cont\xe2\x80\x99d.)\nU.S. Department of Justice                                                               v\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cthe mitigation plans for the remaining six risks appear reasonable, we cannot\ndetermine whether they have mitigated the risks because information\nnecessary for us to make this assessment (such as an audit or mitigation\naction that we could observe in the field) was not available at the time of our\nreview. We provide examples of these risks, the actions the ICP took to\nmitigate them, and the outcomes of the mitigation steps in the body of this\nreport.\n\n       At the program level, we reviewed the reports that program managers\nsubmitted to the OIC covering their risk mitigation work completed or initiated\nbetween December 2009 and July 2010. We found that OIC staff members had\ndetermined 16 risks to be closed (mitigated) and that managers had begun to\nmitigate an additional 86 risks. We cannot conclude that compliance risk in\nthese areas was mitigated because the ICP does not require verification of\nprogram-level mitigation actions, but the mitigation actions for 5 of the 16\nrisks established internal controls that we believe could reasonably be expected\nto reduce the risk.\n\n       The remaining 11 risks entailed mitigation actions, such as issuing\nadditional guidance, but did not specify the establishment of internal controls,\nor additional internal controls if regular monitoring efforts were already in\nplace, which would have provided more assurance of the mitigations\xe2\x80\x99\neffectiveness. While the actions established in the mitigations appear\nreasonable, without adequate verification that they resulted in the needed\nchanges, it is not possible to know whether the steps were adequate or whether\nadditional steps are required. For example the National Name Check Program,\nwhich disseminates information from FBI files to other federal agencies when\nrequested, identified a risk that inadvertent release of protected information\nmight occur. To mitigate the risk, the program developed a standard operating\nprocedure to prevent inadvertent release of protected information. It also\nrequired all National Name Check Program employees to attend annual training\ncovering the guidelines for disseminating certain information. However, other\nthan the Quality Assurance Program that was already in place, which reviews\nabout 10 percent of outgoing work, no monitoring was put into place to see if\nthe training was successful or if the risk of inadvertent disclosure was\nmitigated.\n\n      In some cases, such as in the example above, there may be a monitoring\nmechanism in place, but in current practice program managers do not always\nshare information about the existing monitoring or its results with the OIC. If\nthe OIC is not aware of monitoring and the program does not report the results\n\ncompare to non-compliance after implementation. The ICP does not measure whether its\nactions reduce non-compliance.\n\n\nU.S. Department of Justice                                                       vi\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cof monitoring efforts, there is still no way to ensure that the risk mitigation\noccurred and was effective.\n\nThe OIC manages the FBI\xe2\x80\x99s ethics program and promotes reporting of\ncompliance concerns.\n\n      The OIC established and maintains open communication channels for\nFBI employees, and the FBI supported the OIC\xe2\x80\x99s objectives by establishing new\nhuman resource initiatives that encourage compliance and reporting of\ncompliance concerns. For example, the OIC developed new ethics training\nvideos and issued a non-retaliation policy for reporting compliance concerns.\nWe also examined all complaints of retaliation by FBI employees between\nJanuary 2007 and February 2011 and found no case in which an employee\nwho reported a compliance concern to the OIC later reported being retaliated\nagainst for doing so.\n\n       However, during our site visits we found that most field division\nemployees we interviewed were unaware of two of the new human resource\ninitiatives that affect them: the Compliance Helpline employees can call\nanonymously to report compliance concerns and an award to recognize\nemployees for supporting the ICP. We found that only 20 percent (14 of 70) of\nthe field division employees were aware of the Compliance Helpline and only\n13 percent (8 of 64) were aware of the award. This lack of awareness limits the\neffectiveness of these OIC efforts to promote the reporting of compliance\nconcerns throughout the FBI.\n\nThe FBI could improve the ICP\xe2\x80\x99s effectiveness and sustainability by\naddressing certain factors.\n\n       We identified areas for improvement in the ICP at both the FBI-wide and\nprogram levels. We found that FBI executives and managers do not use the\nrisk assessment methodology the ICP designed to evaluate risks. Instead, risk\nassessment and selection are informal, unsystematic, and undocumented. In\naddition, the ICP does not have a method to ensure that mitigation actions\neffectively address program-level risks. Further, the ICP is not fully\nimplemented in field divisions. Finally, the ICP has not established a way to\nmeasure progress toward achievement of its goals. Each of these areas for\nimprovement is discussed in the sections below.\n\n\n\n\nU.S. Department of Justice                                                 vii\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cFBI executives and managers are not using the ICP\xe2\x80\x99s risk assessment\nmethodology, causing risk selection to be informal, unsystematic, and\nundocumented.\n\n        The FBI developed a risk\nassessment methodology based             The FBI\xe2\x80\x99s Risk Assessment Methodology\non its research of best practices\nof corporate compliance                   To prioritize risks, the FBI developed a\n                                     methodology to determine a numeric score for\nprograms (see text box) and the      each risk based on the frequency of the activity,\nfactors of risk it deemed            consequence of non-compliance, and the\nimportant. The OIC used the          probability of non-compliance. The first six\nmethodology initially to help        factors below help determine the probability of\nFBI executives understand how        non-compliance. The seventh factor helps to\n                                     determine the consequence of the activity.\nto assess risk in the ICP, and       Participants also were to consider potential for\nexecutives used the                  legal action and reputational harm to the FBI\nmethodology to rank risks that       when assessing consequence.\nthey identified early on in the\nICP. However, at the FBI-wide        1. Complexity.\t Does activity occur in multiple\n                                        locations or internationally, involve external\nlevel, only one of the five             agencies, or have many legal requirements?\ncommittees of executives             2. Internal Risk Indicators. Is there a history of\ncurrently uses the methodology          compliance issues? Is there an existing process\nat all, and that committee\xe2\x80\x99s use        to assess risk in the area?\nof it is limited. In lieu of using   3. External Risk Indicators. Have other agencies\n                                        had problems with the activity? Is there a\nthe risk assessment                     trend in civil liability or overturned convictions,\nmethodology, FBI executives\xe2\x80\x99            or external reports citing compliance issues?\nprocess for prioritizing and         4. Environment. Is the activity new or does it\nselecting risks for mitigation          require new technology? Is there pressure to\nhas been informal and based             conduct the activity?\n                                     5. Workforce. Is there turnover among key\non discussion that was not              personnel? Is the workforce experienced and\ndocumented. FBI executives              adequately trained?\nwe interviewed told us that          6. Internal Work Process. Is activity manual or\nthey assessed risk through              automated? Does it allow individual discretion?\ndiscussion before and during            Does it require approval and monitoring? Are\n                                        responsibilities clearly defined?\nthe quarterly Executive              7. Impact on Privacy and Civil Liberties.\t Does\nManagement Committee                    activity affect privacy, First Amendment rights,\nmeetings. The minutes of these          individuals directly, or other civil liberties?\nmeetings include updates on\nthe mitigation actions for risks selected for mitigation, but do not document\nhow participants prioritized or selected risks.\n\n     Similarly, at the program level, only 29 percent (13 out of 45) of the\nmanagers who responded to a survey we conducted reported using the\nmethodology or the factors in it to determine their program\xe2\x80\x99s risks. The\nremaining 71 percent (32 out of 45) appeared to be using their own criteria.\n\nU.S. Department of Justice                                                         viii\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cWe found risk prioritization and selection at the program level is also informal\nand undocumented. Program managers describe the risks they have identified\nand their plan to mitigate them in written reports to the OIC. The process does\nnot require in-person contact between OIC staff members and managers.\n\n       Requiring a consistent methodology for assessing risk would help the ICP\ncommunicate its expectations about the factors to consider in prioritizing and\nselecting risks to new participants and participants who may not receive in-\nperson guidance in identifying risks. Because the FBI plans to expand field\ndivision participation in the ICP and because the FBI\xe2\x80\x99s rotation policy ensures\nthat the ICP will constantly have new participants, using established factors is\nimportant for the ICP\xe2\x80\x99s effectiveness.\n\n        Using this risk assessment methodology would also ensure that\nparticipants consider the risk factors the FBI deems important. For example,\none of the factors included in the methodology the OIC designed for the ICP is a\nrisk\xe2\x80\x99s impact on privacy and civil liberties. This is an important factor, but at\nthe FBI-wide level only 33 percent (5 of 15) of executives we interviewed said\nthat they considered this factor when they made their assessments.13 If FBI\nexecutives and program managers are not using the methodology, they may not\nconsider this factor when comparing risks, even though threats to privacy and\ncivil liberties caused by the FBI\xe2\x80\x99s misuse of its National Security Letter\nauthority was a significant reason the FBI established the ICP.14\n\nThe ICP does not require external verification for major program mitigation\nefforts, and the OIC lacks the authority to require program-level participation.\n\n       At the program level, we found that the ICP lacks a way to ensure that\nrisk reduction strategies are implemented and that they reduce compliance\nrisks. Program-level mitigation does not include any independent assessment\nof implemented strategies. In no case did we find that a mitigated program risk\nhad external verification to ensure that the mitigation actions had been taken\nand to assess the effectiveness of those actions. Verification could be as a\nsimple as someone checking that the plan is implemented and operational, and\nthat the risk appears to be mitigated. Without this step, the ICP cannot ensure\nthat managers\xe2\x80\x99 mitigation actions are complete or effective.\n\n\n\n       13 The other 10 executives may also have considered this factor but they did not tell us\nthat they did when we asked, \xe2\x80\x9cWhat factors do you consider when assessing risks?\xe2\x80\x9d\n\n       14 U.S. Department of Justice Office of the Inspector General, Review of the Federal\nBureau of Investigation\xe2\x80\x99s Use of National Security Letters (March 9, 2007).\n\n\nU.S. Department of Justice                                                            ix\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       Additionally, the OIC staff oversees the program-level risk mitigation, but\ndoes not have the authority to require program managers to participate. FBI\npolicy requires major program managers to participate in the ICP, but we found\nthat 6 of 53 (11 percent) major program managers did not.15 In these\ninstances, the OIC directed managers to identify and submit risks \xe2\x80\x9cin\naccordance with FBI policy\xe2\x80\x9d in their next bi-annual reports.16 Assistant\nDirectors directly supervise program managers and could ensure managers\xe2\x80\x99\nparticipation, but we found that only one of the nine Assistant Directors we\nasked about program-level risk mitigation was aware of it. Four of the 10 OIC\nstaff members we asked said that Assistant Director buy-in to program-level\nmitigation was important but not consistent. Involving Assistant Directors\nwould help ensure that program managers prioritize program-level risk\nmitigation.\n\nThe ICP is not fully implemented in field divisions.\n\n       While there are plans to implement risk identification and mitigation in\nfield divisions in the future, the OIC Assistant Director stated that the focus of\nthe ICP has been to implement the program first at headquarters. Nonetheless,\nin 2007, the FBI created the Division Compliance Officer position as a collateral\nduty in FBI field divisions to provide a single point of contact for each field\ndivision to support the ICP.17 We found that, as of fall 2010, field divisions had\nappointed Division Compliance Officers, but the OIC had not fully developed or\nused this position. The OIC also had not established a method to identify and\nmitigate compliance risks in field divisions. The three Division Compliance\nOfficers in the field divisions we visited indicated that they did not yet perform\nany additional tasks as the point of contact for the OIC.\n\n       In August 2011, the OIC\xe2\x80\x99s Assistant Director gave us a draft policy that,\nif approved, would formally implement the ICP in the field. This policy would\nclarify the role of the Division Compliance Officer and require all field divisions\nto implement division compliance councils. These councils would identify\npotential compliance risks to determine whether they constitute actual risk\nwithin a division. Once actual risks are identified, the councils would develop,\nimplement, and track mitigation plans to completion. The councils would\n\n\n       15 FBI Policy Directive 0126D, Application of the Integrity and Compliance Program to\nFBI Program Management, October 24, 2008.\n\n       16  In the bi-annual reports, which are reviewed by OIC staff, program managers are to\ninclude a description of risks identified and their plan for mitigating the highest priority risk.\n\n       17   FBI Policy Directive 0005D, FBI Division Compliance Officer, October 1, 2007.\n\n\nU.S. Department of Justice                                                                x\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cinform the OIC of compliance risks that could affect multiple field divisions or\nthe FBI as a whole.\n\nThe OIC has not established a way to assess the ICP\xe2\x80\x99s overall effectiveness or to\nmeasure progress toward achievement of ICP goals.\n\n       The OIC has not evaluated the effectiveness of the ICP since 2008 or\nmeasured its progress toward achievement of the ICP\xe2\x80\x99s goals. FBI policy states\nthat \xe2\x80\x9cthe OIC shall evaluate the effectiveness of and prepare and deliver to FBI\nsenior management an annual report on the state of the ICP.\xe2\x80\x9d18 However, since\nthe initial report in 2008, the OIC has not prepared this report. Currently the\nICP uses a regular survey to assess FBI employees\xe2\x80\x99 attitudes toward\ncompliance every 18 months and a monthly report to track progress toward\nmitigating specific risks. However, the OIC lacks a method or report for\nproviding an assessment of the ICP overall. Without a way to assess the ICP\nand a way to measure progress toward accomplishment of the ICP\xe2\x80\x99s goals, the\nOIC cannot determine the ICP\xe2\x80\x99s effectiveness at reducing compliance risk or\nidentify where changes in the program should occur to ensure the\nsustainability of the ICP.\n\nCONCLUSION AND RECOMMENDATIONS\n\n      We conclude that while there remain areas for improvement in the FBI\xe2\x80\x99s\nICP, the program is implementing risk reduction strategies throughout the FBI\nand has begun to reduce compliance risk. The ICP\xe2\x80\x99s identification, analysis,\nand mitigation of legal compliance risks FBI-wide and at the program level\nbefore they develop into problems has the potential to significantly reduce legal\ncompliance risk in FBI operations. We found that three of the five implemented\nmitigation plans at the FBI-wide level reduced compliance risk by making\nchanges to areas such as policy, training, and operations. We believe that the\nconcept of the FBI\xe2\x80\x99s OIC program has been beneficial to its efforts to monitor\nand enhance compliance with legal requirements, and that other agencies may\nwish to consider implementing a similar kind of program.\n\n       We also identified several areas in the ICP that, if refined, could improve\nthe FBI\xe2\x80\x99s ability to reduce legal compliance risk and the ICP\xe2\x80\x99s sustainability.\nFirst, increasing employee awareness of the Compliance Helpline and other OIC\nhuman resource initiatives could further promote a culture of compliance and\nthe reporting of compliance concerns.\n\n      Second, FBI executives and managers are not using the ICP\xe2\x80\x99s risk\nassessment methodology, causing risk selection to be informal, unsystematic,\n\n       18   FBI Policy Directive 0002D, FBI Integrity and Compliance Program, June 25, 2007.\n\n\nU.S. Department of Justice                                                           xi\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cand undocumented. Consequently, current and future participants in the\nprocesses, particularly those at the field division level, may not know how they\nare to select risks and may not consider all the factors the FBI deems\nimportant. Third, the FBI cannot ensure that program-level risks are fully\nmitigated because the ICP does not require verification of program-level risk\nmitigation actions and Assistant Director involvement in program mitigation is\nlacking.\n\n       Fourth, the ICP is not fully implemented in field divisions. Each field\ndivision appointed a Division Compliance Officer, but the OIC has not fully\ndeveloped or used this position or established a method to identify and mitigate\ncompliance risks in field divisions. Because field division employees are more\nlikely to report compliance concerns to officials within their field division rather\nthan to headquarters, the ICP\xe2\x80\x99s effectiveness at identifying compliance risks\naffecting the field depends on the Division Compliance Officer\xe2\x80\x99s role being\ndeveloped through a structure for risk identification and mitigation.\n\n       Finally, the OIC has not yet established a way to measure progress\ntoward accomplishment of the ICP\xe2\x80\x99s goals and does not prepare annual reports\nof the ICP\xe2\x80\x99s activities as required. As a result, the OIC does not have a way to\nassess the ICP\xe2\x80\x99s effectiveness or to identify where changes in the program\nshould occur.\n\n        In this report, we make five recommendations to the FBI to help the ICP\nimprove its efforts to reduce legal compliance risks. For example, we\nrecommend that the OIC increase awareness of the Compliance Helpline and\nother OIC human resource initiatives. In addition, we recommend that the FBI\nconsider using a formal risk assessment methodology that includes a specific\nlist of criteria that must be considered. To enhance the effectiveness of\nmitigation at the program level, we recommend increased Assistant Director\ninvolvement and that the ICP require program-level risk mitigation to include a\nverification step. To ensure that the FBI can assess the overall effectiveness of\nthe ICP, we recommend that it comply with existing requirements for an\nannual report assessing the effectiveness of the ICP; for example, a report that\narticulates the program\xe2\x80\x99s goals, shows progress toward accomplishing them,\nand identifies areas for improvement.\n\n\n\n\nU.S. Department of Justice                                                 xii\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c                                    TABLE OF CONTENTS \n\n\n\n\n      BACKGROUND ................................................................................. 1 \n\n\n      RESULTS OF THE REVIEW ............................................................ 13 \n\n\n            The ICP is beginning to reduce the FBI\xe2\x80\x99s compliance risk ......... 13\n\n\n            Addressing areas for improvement could enhance the\n            ICP\xe2\x80\x99s Effectiveness ................................................................... 26\n\n\n      CONCLUSION AND RECOMMENDATIONS ...................................... 35 \n\n\n      APPENDIX I: FBI COMPLIANCE PROGRAM POLICIES.................... 37 \n\n\n      APPENDIX II: LIST OF FBI MAJOR PROGRAMS ............................. 38 \n\n\n      APPENDIX III: METHODOLOGY OF THE OIG REVIEW ................... 40 \n\n\n      APPENDIX IV: FBI STRATEGIC SHIFTS ANTICIPATED BY OIC ....... 44 \n\n\n      APPENDIX V: FBI EMPLOYEE SURVEY QUESTIONS ..................... 45 \n\n\n      APPENDIX VI: FBI RESPONSE TO DRAFT REPORT........................ 46 \n\n\n      APPENDIX VII: OIG ANALYSIS OF FBI RESPONSE......................... 49 \n\n\n\n\n\nU.S. Department of Justice\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cU.S. Department of Justice\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c                                       BACKGROUND \n\n\n\n       In June 2007, the Federal Bureau of Investigation (FBI) established the\nIntegrity and Compliance Program (ICP) to proactively identify and correct\nweaknesses in policy, training, monitoring, and auditing that could result in\nFBI employees violating the law as they conduct their work. The FBI defines a\nlegal compliance risk as harm to the FBI caused by failures of FBI personnel to\ncomply with the laws and policies governing FBI operations. The ICP is\nmodeled on corporate compliance programs that institute systematic\nprocedures to ensure that companies adhere to the laws that govern them.\n\n\n      According to the FBI\xe2\x80\x99s 2008 State of the Integrity and Compliance Program\nreport, the impetus for the FBI\xe2\x80\x99s establishment of the ICP was a 2007 Office of\nthe Inspector General (OIG) report that found FBI personnel had not complied\nwith laws and policies governing the use of National Security Letter authority.19\nThe OIG report stated that the FBI had issued these letters without proper\nauthorization, made requests outside of the scope allowed by statute, and\nconducted unauthorized collection of telephone or Internet e-mail transactional\nrecords.\n\n       We conducted this review to assess the performance of the FBI\xe2\x80\x99s ICP.\nThe objectives of this review were to evaluate how the FBI\xe2\x80\x99s ICP: (1) identifies\nrisks of non-compliance with laws, regulations, rules, and FBI and Department\nof Justice policies; (2) assesses identified risks; (3) analyzes highly ranked\nrisks; (4) mitigates risks with adequate corrective actions; (5) monitors the\nimplementation of the corrective actions to ensure that mitigation is effective;\nand (6) promotes a culture of integrity and ethical compliance throughout the\nFBI.\n\nThe Integrity and Compliance Program\n\n       The ICP\xe2\x80\x99s goal is to prevent FBI employees from violating the laws and\npolicies that govern their work: (1) through operation of the FBI\xe2\x80\x99s Ethics and\nStandards of Conduct program, which entails providing guidance and training\nthat emphasize the importance of complying with laws and policies, and of\nreporting non-compliance; and (2) by identifying and reducing legal compliance\n\n       19  U.S. Department of Justice Office of the Inspector General, Review of the Federal\nBureau of Investigation\xe2\x80\x99s Use of National Security Letters (March 9, 2007). Under five statutory\nprovisions, the FBI can use National Security Letters to obtain \xe2\x80\x93 without a court order \xe2\x80\x93\nrecords such as customer information from telephone companies, Internet service providers,\nfinancial institutions, and consumer credit companies.\n\n\nU.S. Department of Justice                                                              1\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0crisks in FBI operations FBI-wide and at the program level. There are also plans\nto expand the ICP\xe2\x80\x99s risk identification and mitigation efforts to FBI field\ndivisions in the future.\n\n       The ICP is a multi-level program and involves staff at various levels of the\nFBI. At the FBI-wide level, FBI executives identify, analyze, and mitigate legal\ncompliance risks that affect the FBI as a whole and that may involve\ncoordination between more than one functional area within the FBI, and\nsometimes outside of, the FBI to resolve. At the program level, FBI program\nmanagers identify, analyze, and mitigate risks within their programs that can\nbe resolved through changes internal to those programs. FBI employees\nparticipate in the ICP through several committees and groups, and through\ndirect interaction with the FBI\xe2\x80\x99s Office of Integrity and Compliance (OIC), which\nmanages the ICP. The FBI\xe2\x80\x99s Inspection Division and the FBI\xe2\x80\x99s Office of General\nCounsel also have ongoing roles in risk identification and mitigation, and other\nFBI employees take part in the ICP as needed.\n\n       In the sections below we describe in more detail the OIC\xe2\x80\x99s role in\nmanaging the ICP and in risk identification and mitigation at the FBI-wide\nlevel, program level, and in FBI field divisions.\n\nOffice of Integrity and Compliance\n\n      The OIC is an independent office within the Office of the FBI Director. Its\nmission is to \xe2\x80\x9cdevelop, implement and oversee a program that ensures that\nthere are processes and procedures in place that facilitate FBI compliance with\nboth the letter and spirit of all applicable laws, regulations, and policies.\xe2\x80\x9d20\nThe OIC does this by managing the ICP\xe2\x80\x99s risk identification, analysis, and\nmitigation efforts at the FBI-wide and program levels (which we discuss later in\nthis Background section), managing the FBI\xe2\x80\x99s Ethics and Standards of Conduct\nProgram, and by maintaining channels of communication for reporting\ncompliance concerns. The OIC is also responsible for assessing the ICP. The\nOIC is led by an Assistant Director and consists of one Unit Chief, nine\nAttorneys, two Management Program Analysts, one Supervisory Special Agent,\nand one administrative staff member. The OIC\xe2\x80\x99s staff members are the only\nFBI employees who work exclusively on the ICP.\n\n\n\n\n       20   FBI Policy Directive 0002D, FBI Integrity and Compliance Program, June 25, 2007.\n\n\nU.S. Department of Justice                                                           2\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cThe OIC is responsible for managing the FBI\xe2\x80\x99s Ethics and Standards of Conduct\nProgram.\n\n       In 2007, the FBI\xe2\x80\x99s Ethics and Standards of Conduct Program became a\npart of the ICP and is managed by the OIC. The purpose of the Ethics and\nStandards of Conduct Program is to \xe2\x80\x9cpromote an organizational culture that\nencourages ethical conduct and a commitment to compliance with the law.\xe2\x80\x9d21\nThe FBI refers to this as \xe2\x80\x9ca culture of compliance.\xe2\x80\x9d The program includes\nensuring that the FBI complies with financial disclosure reporting\nrequirements; conducting training for new employees on FBI and government\nethics policies and providing in-service ethics training and information to\nexisting employees; maintaining up-to-date policies and guidance on ethics\nrequirements; and responding to employees\xe2\x80\x99 specific questions about whether\ncertain activities are allowable. For example, employees may need help\nknowing when and if they are allowed to accept gifts or whether they need to\nreport certain activities. In addition to these activities, the OIC assesses the\nFBI\xe2\x80\x99s \xe2\x80\x9cculture of compliance\xe2\x80\x9d using questions it added to the FBI employee\nsurvey. The FBI conducts this survey of its employees every 18 months to\nassess the employees\xe2\x80\x99 perspectives on topics related to their work environment.\n\nThe OIC is responsible for maintaining \xe2\x80\x9copen and effective\xe2\x80\x9d communication for\nreporting compliance concerns.\n\n      To fulfill its responsibility to maintain open and effective communication,\nthe OIC developed FBI policy directives and human resource initiatives that\noutline the roles and responsibilities of FBI divisions, ICP committees, and\nemployees (see Appendix I). For example, the ICP requires that all FBI\nemployees report any known or suspected violations of law or FBI policy that\nthey observe.22\n\n      In September 2008, the OIC established a Compliance Helpline for FBI\nemployees to call to report compliance concerns anonymously. The helpline is\noperated by a contractor that receives the calls and relays the reported\nconcerns to the OIC. Employees can also report concerns directly to OIC staff\nusing any method, including telephone, e-mail, mail, or in person. The OIC\nassesses each concern, forwards it to the FBI division to which it pertains,\nand \xe2\x80\x93 unless the concern was reported anonymously \xe2\x80\x93 contacts the employee\n\n\n       21 Office of Integrity and Compliance, FBI Integrity and Compliance Program: An\nOverview, slide presentation, May 19, 2010.\n\n       22FBI Policy Directive 0003D, FBI Integrity and Compliance Executive Management\nCommittees Charter, June 25, 2007.\n\n\nU.S. Department of Justice                                                          3\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cwho reported the concern to tell them how the FBI division to which it was\nassigned will address it.\n\n      Additionally, the OIC established human resource initiatives to\nencourage the reporting of compliance concerns. These initiatives included the\naddition of compliance elements to employee performance appraisals, the\nestablishment of awards that reward employees who support the ICP, and the\ncreation of a non-retaliation policy that states that \xe2\x80\x9cemployees must be\ncomfortable raising compliance concerns without fear of retaliation.\xe2\x80\x9d23\n\nThe OIC is responsible for assessing the ICP.\n\n       FBI policy also assigns responsibility for assessing the ICP\xe2\x80\x99s performance\nto the OIC. Specifically, policy requires the OIC to evaluate the effectiveness of\nthe ICP through an annual report and to support the ICP in evaluating risk-\nmitigation measures.\n\nFBI-wide Risk Identification and Mitigation\n\n       In July 2007, the ICP established a method through which FBI\nexecutives identify and address FBI-wide compliance risks through a series of\nsteps: identification, prioritization and selection, analysis, mitigation, and\naudit. OIC staff members manage each step, and different FBI committees and\nemployees provide the subject matter expertise needed at each step. The\nfollowing sections present the roles and responsibilities as well as the steps\ntaken to identify and mitigate FBI-wide legal compliance risks.\n\nThe Integrity and Compliance Council oversees the ICP and five committees of\nFBI executives identify and mitigate FBI-wide risks.\n\n      Integrity and Compliance Council. The Integrity and Compliance Council\noversees the ICP and meets three times a year.24 It is chaired by the FBI\nDirector, and its members are the Deputy Director, the Associate Deputy\nDirector, the five Executive Assistant Directors, the Chief Financial Officer, the\nGeneral Counsel, and the Assistant Director of the OIC, who attends meetings\nand provides reports on the activities of the ICP. As Council Chairperson, the\nDirector designates the top 10 compliance risks confronting the FBI. The\nDirector may also identify risks for analysis.\n\n         FBI Policy Directive 0032D, Non-retaliation for Reporting Compliance Risks,\n        23\n\nFebruary 11, 2008.\n\n        24   FBI Policy Directive 0004D, FBI Integrity and Compliance Council Charter, June 25,\n2007.\n\n\nU.S. Department of Justice                                                             4\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       Executive Management Committees. Executive Management Committees\nmeet quarterly to identify risks for the FBI to address, select which risks to\nanalyze and mitigate, and discuss the status of mitigation plans previously\ninitiated.25 There are five Executive Management Committees, one for each of\nthe FBI\xe2\x80\x99s five branches or functional areas (see Table 1). An Executive\nAssistant Director chairs each Executive Management Committee. Committee\nmembership includes the Assistant Directors of each division within that\nbranch, the Assistant Director of the OIC, and representation from the Office of\nthe General Counsel. At least one OIC staff member also attends. FBI policy\nalso states that representatives from small, medium, and large FBI field\ndivisions participate in the Executive Management Committees.\n\n\n\n\n       25FBI Policy Directive 0003D, FBI Integrity and Compliance Executive Management\nCommittees Charter, June 25, 2007.\n\n\nU.S. Department of Justice                                                       5\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c    Table 1: Executive Management Committees and Their Corresponding \n\n                               Divisions \n\n\n  Executive Management Committee                             Division\n Administrative                       Office of Equal Employment Opportunity Affairs\n                                      Facilities and Logistics Services Division\n                                      Finance Division\n                                      Human Resources Division\n                                      Inspection Division\n                                      Office of Congressional Affairs\n                                      Office of Law Enforcement Coordination\n                                      Office of Public Affairs\n                                      Office of Professional Responsibility\n                                      Records Management Division\n                                      Resource Planning Office\n                                      Security Division\n                                      Training Division\n Criminal, Cyber, Response, and       Criminal Investigative Division\n Services                             Cyber Division\n                                      Critical Incident Response Group\n                                      International Operations Division\n                                      Office of Victim Assistance\n Information Technology               Office of the Chief Knowledge Officer\n                                      Information Technology Engineering Division\n                                      Information Technology Management Division\n                                      Information Technology Operations Division\n National Security                    Counterintelligence Division\n                                      Counterterrorism Division\n                                      Directorate of Intelligence\n                                      Weapons of Mass Destruction Directorate\n Science and Technology               Criminal Justice information Services Division\n                                      Laboratory Division\n                                      Operational Technology Division\n Source: FBI Organizational Chart.\n\n\n\nThere are five steps for addressing compliance risks at the FBI-wide level.\n\n       The FBI addresses compliance risks at the FBI-wide level in five steps:\nrisk identification, risk prioritization and selection, risk analysis, risk\nmitigation, and audit. The process is displayed in Figure 1 and discussed\nbelow.\n\n\n\n\nU.S. Department of Justice                                                     6\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c                 Figure 1: Risk Identification and Reduction of \n\n                        FBI-Wide Legal Compliance Risks \n\n\n\n\n\n                      Source: OIG analysis of FBI program directives.\n\n\n\n\nU.S. Department of Justice                                              7\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       Risk Identification. The Director, Executive Assistant Directors, and\nAssistant Directors identify potential risks within their functional branch or\ndivision. The OIC also compiles summaries of potential legal compliance risks\nidentified through its own research and from concerns reported by FBI\nemployees. The OIC provides these summaries \xe2\x80\x93 known as Leading Risk\nIndicator Reports \xe2\x80\x93 to the Executive Management Committees to consider when\nthey meet to prioritize and select new risks to analyze, tailoring the summaries\nto each of the committees\xe2\x80\x99 subject areas. The Assistant Director of the OIC\nalso ensures that committees select new risks to mitigate when the mitigation\nis complete for risks previously selected.\n\n       Risk Prioritization and Selection. After an Executive Management\nCommittee identifies potential risks, it selects which ones to analyze. To assist\nthe committee members in comparing and prioritizing risks based on a specific\nset of factors, the OIC created a risk assessment methodology based on the\nbest practices of corporate compliance programs. To apply the methodology,\nparticipants determine a numeric score for each risk based on the frequency of\nthe activity, consequence of non-compliance, and the probability of non\xc2\xad\ncompliance. The first six factors below help determine the probability of non\xc2\xad\ncompliance. The seventh factor helps determine the consequence of the\nactivity. Participants also consider the potential for legal action and\nreputational harm to the FBI when assessing consequence.\n\n      1.\t Complexity. Does activity occur in multiple locations or\n          internationally, involve external agencies, or have many legal\n          requirements?\n\n      2.\t Internal Risk Indicators. Is there a history of compliance issues? Is\n          there an existing process to assess risk in the area?\n\n      3.\t External Risk Indicators. Have other agencies had problems with the\n          activity? Is there a trend in civil liability or overturned convictions, or\n          external reports citing compliance issues?\n\n      4.\t Environment. Is the activity new or does it require new technology? Is\n          there pressure to conduct the activity?\n\n      5.\t Workforce. Is there turnover among key personnel? Is the workforce\n          experienced and adequately trained?\n\n      6.\t Internal Work Process. Is activity manual or automated? Does it allow\n          individual discretion? Does it require approval and monitoring? Are\n          responsibilities clearly defined?\n\n\nU.S. Department of Justice                                                    8\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c      7.\t Impact on Privacy and Civil Liberties. Does activity affect privacy, First\n          Amendment rights, individuals directly, or other civil liberties?\n\n       The Executive Assistant Director for the committee approves the\nselection of the potential risk for analysis, and the Division considered to be\nmost involved with the risk becomes responsible for analyzing the risk. The\nAssistant Director in charge of the selected division, or the Assistant Director\xe2\x80\x99s\ndesignee, becomes the \xe2\x80\x9crisk owner.\xe2\x80\x9d The risk owner is responsible for\noverseeing the analysis. If the analysis shows that mitigation is needed, the\nrisk owner is also responsible for overseeing the mitigation of the risk.\n\n       Risk Analysis. After the risk has been assigned to a risk owner, the risk\nowner forms a Red Team to analyze the selected risk. The Red Team, led by a\nrepresentative from the division assigned to be the risk owner, assesses the\nadequacy of policies and procedures, training, and monitoring and auditing\nefforts associated with the risk, and identifies compliance weaknesses. The\nRed Team then produces a written report that includes a legal analysis of\napplicable law and regulations; and analysis of how existing policy and\nprocedures, training, and monitoring and auditing efforts comply with the legal\nrequirements outlined in the legal analysis. The Red Team also makes\nrecommendations to address the weaknesses identified. Red Teams are\nusually composed of one or two OIC staff members, employees who are subject\nmatter experts on the selected risk, and one attorney from the Office of General\nCounsel, who is responsible for writing the legal analysis. Red Teams typically\nhave 90 days to complete their reports, but this deadline is largely dependent\nupon the complexity of the issue under review.\n\n       Risk Mitigation. If the Red Team\xe2\x80\x99s risk analysis determines that a legal\ncompliance risk does exist, then a mitigation team is formed to design a plan to\naddress the issues identified in the Red Team report. The mitigation team is\nled by a representative from the division assigned to be the risk owner.\nMitigation team members are often the same as the Red Team\xe2\x80\x99s. If\nimplementation of the mitigation plan requires technical expertise, then the\nOIC may request that the relevant division provide a representative with that\nexpertise to the team. For example, if the mitigation requires the design of\nsoftware, the OIC would request information technology specialists to assist the\nteam. After the Deputy Director approves the mitigation plan, the divisions\nspecified in the plan are then responsible for implementing the portions of the\nplan they are assigned.26\n\n\n\n       26  The OIC also can select and mitigate issues itself. For these issues, the OIC takes\nthe place of the Red Team and the mitigation team.\n\n\nU.S. Department of Justice                                                              9\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       Audit. When the ICP believes that a risk mitigation plan has been fully\nimplemented, the OIC requests that the Inspection Division conduct an audit.\nThe audit verifies whether the plan has been implemented, whether the risk of\nnon-compliance is reduced, and whether there is non-compliance in the\nactivity. The Inspection Division conducts its audit after enough time has\npassed for the implementation of the plan to reasonably have taken effect. If\nthe audit determines that the risk was mitigated, the ICP closes the risk. If the\naudit shows that non-compliance risk remains, the risk owner, OIC staff, and\nrelevant stakeholders will develop a corrective action plan until the risk has\nbeen fully mitigated.\n\n       On February 3, 2011, the FBI informally established a unit within the\nInspection Division called the Compliance and Mitigation Unit. This unit was\ncreated to plan, design, and coordinate the audits of the implemented risk\nmitigation plans. The unit is led by a Section Chief and has four additional\nstaff members. According to the FBI, as of August 2011 this unit had not been\nformally approved, but convenes regularly.\n\nRisk Identification and Mitigation at the Program Level\n\n       At the program level, the FBI uses a different process to identify and\nmitigate legal compliance risks. FBI policy requires managers of 53 major\nprograms to apply compliance principles and methodology to their programs to\nidentify risks that can be mitigated within those programs.27 The OIC\ndetermined which of the FBI\xe2\x80\x99s programs are \xe2\x80\x9cmajor\xe2\x80\x9d by reviewing budget data\nand consulting with the FBI\xe2\x80\x99s Inspection Division. FBI senior management\nreviewed and approved the list. These programs are located within\nheadquarters divisions. See Appendix II for the list of FBI major programs.\n\n       Since June 2009, the OIC has required major program managers to\nidentify and prioritize their top three legal compliance risks for mitigation and\nto submit reports twice a year to the OIC and their Assistant Directors. These\nreports are to include a description of these risks and the plan for mitigating\nthe highest priority risk. The OIC reviews the program reports to make sure\nthe issues identified are legal risks, the plans to address the risk are realistic,\nand that program managers are taking the steps that could reasonably be\nexpected to reduce the risk. According to the template program managers use\nto develop risk mitigation plans, the program level should also include an audit\nor a way to monitor the mitigation steps.\n\n\n\n       27 FBI Policy Directive 0126D, Application of the Integrity and Compliance Program to\nFBI Program Management, October 24, 2008.\n\n\nU.S. Department of Justice                                                         10\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cRisk Identification within FBI Field Divisions\n\n       The FBI established the Division Compliance Officer position in 2007 to\nprovide a single point of contact for each division in support of the ICP and to\nbe the OIC\xe2\x80\x99s contact in each field division.28 Twenty-seven headquarters\ndivisions and all 56 field divisions have designated at least one individual to\nserve as their Division Compliance Officer.29 In 84 percent of field divisions\n(47 of 56), the Division Compliance Officers are also the field divisions\xe2\x80\x99 Chief\nDivision Counsels. In this capacity, the Division Compliance Officers provide\nadvice and training regarding the legal and ethical requirements of the FBI.\n\n       In August 2011, the OIC submitted a draft policy to the FBI\xe2\x80\x99s Corporate\nPolicy Office that would formally implement the ICP in field divisions. If\napproved, this policy will implement division compliance councils in each field\ndivision and will clarify the role of FBI employees serving as Division\nCompliance Officers. According to the policy, the councils will provide an\nadditional level of risk identification and mitigation through which field\ndivisions are to reduce legal compliance risks.\n\nPurpose and Scope of the OIG\xe2\x80\x99s Review\n\n      The objectives of this review were to evaluate how the FBI\xe2\x80\x99s Integrity and\nCompliance Program: (1) identifies risks of non-compliance with laws,\nregulations, rules, and FBI and Department of Justice policies; (2) prioritizes\nand selects identified risks; (3) analyzes highly ranked risks; (4) mitigates risks\nwith adequate corrective actions; (5) monitors the implementation of the\ncorrective actions to ensure that mitigation is effective; and (6) promotes a\nculture of integrity and ethical compliance throughout the FBI.\n\n       We examined the FBI\xe2\x80\x99s ICP since its establishment in 2007 through\nAugust 2011, including the roles and responsibilities of all entities that are\npart of the program. We evaluated the program the FBI developed and\nimplemented for risk identification, assessment, mitigation, and monitoring\nlegal compliance risks FBI-wide and in major programs at the program level.\nOur methodology included in-person and telephone interviews of FBI personnel\nin the Washington, D.C., area, site visits to interview FBI field office personnel\nin three field divisions, reviewing a variety of documents such as FBI policies of\nthe Integrity and Compliance Program and Executive Management Committee\nmeeting minutes, administering an e-mail questionnaire for FBI major program\n\n       28   FBI Policy Directive 0005D, FBI Division Compliance Officer, October 1, 2007.\n\n       29Four of the 56 field offices designated at least 2 people to be their Division\nCompliance Officers.\n\n\nU.S. Department of Justice                                                                11\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cmangers, performing data analysis, and observing meetings of the Executive\nManagement Committees. We conducted fieldwork from July 2010 to March\n2011. More details on our methodology are discussed in Appendix III.\n\n\n\n\nU.S. Department of Justice                                          12\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c                          RESULTS OF THE REVIEW \n\n\n\nTHE ICP IS BEGINNING TO REDUCE THE FBI\xe2\x80\x99S COMPLIANCE RISK\n\n       Through its ICP, the FBI has implemented strategies\n       that have started to reduce legal compliance risk within\n       FBI operations and activities. We found that, since the\n       ICP\xe2\x80\x99s inception in 2007, the ICP has used a variety of\n       sources to identify 206 FBI-wide potential risks and 112\n       program-level risks, and conducted risk analyses and\n       developed mitigation plans. As a result, the FBI has\n       started to reduce compliance risk by implementing\n       mitigation plans for 13 FBI-wide risks and 16 program-\n       level risks. Five of the implementations of FBI-wide\n       plans have been audited, and we found that legal\n       compliance risk was mitigated in three instances and\n       not fully mitigated in two. Further, we determined that\n       the process the ICP used to develop mitigation plans\n       addressed the areas of compliance risk that the Red\n       Teams identified in their risk analyses and involved\n       relevant stakeholders. Finally, in managing the FBI\xe2\x80\x99s\n       ethics program, the OIC has promoted reporting of\n       compliance concerns.\n\n\n      The implementation of the ICP marked a fundamental change in\nhow the FBI identifies and manages legal compliance risks before they\ndevelop into problems. Prior to the ICP, the FBI identified and addressed\ncompliance risks unsystematically through efforts that were generally\nstove-piped within specific divisions. The ICP has improved FBI\nmanagement\xe2\x80\x99s understanding of the FBI\xe2\x80\x99s compliance risks by requiring\nexecutives and managers to routinely and systematically identify risks.\nIn addition, risk analyses and mitigation plans that the ICP developed at\nthe FBI-wide level have the potential to reduce compliance risk because\nthey incorporate the input of relevant stakeholders and subject matter\nexperts within and outside of the FBI; address the adequacy of policy and\nprocedure, training, and monitoring and auditing efforts; and, if\nnecessary, propose significant operational and policy changes to address\nthe identified risk.\n\n\n\n\nU.S. Department of Justice                                            13\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       At the FBI-wide level, we found that 3 of the 11 implemented\nmitigation plans that we reviewed mitigated compliance risk in their\nareas by implementing controls and operational and policy changes.30\nWe found that two implemented mitigation plans had not mitigated the\nrisk identified. The remaining six plans appeared reasonable, but we\ncannot conclude that they effectively reduced compliance risk because\nevidence for us to make such an assessment (such as an audit or\nmitigation action that we could observe in the field) was not available at\nthe time our review. At the program level, we found that the ICP\nimplemented 16 risk mitigation strategies. However, because there is no\nverification that the mitigation strategies were implemented and effective,\nwe cannot conclude that compliance risk was mitigated in these areas.\n\n     The following two sections discuss the FBI\xe2\x80\x99s efforts to reduce legal\ncompliance risk through the ICP in more detail.31\n\nThe ICP has identified risks using a variety of sources.\n\n       The ICP identifies legal compliance risks from a variety of sources\nat both the FBI-wide and the program level, as FBI policy requires.32 We\ninterviewed 15 FBI executives, 3 from each of the 5 Executive\nManagement Committees, and found that the variety of sources that they\nuse to identify risks includes FBI executives; program managers; field\ndivision employees; and open source information such as policies,\noversight entity reports, and newspaper articles.\n\nThe ICP uses a variety of sources to identify FBI-wide risks.\n\n     As of August 2011, the executives from the 5 Executive\nManagement Committees, corresponding to the FBI\xe2\x80\x99s 5 functional\nbranches, and OIC staff members had collectively identified\napproximately 206 potential risk indicators for consideration by the\n\n        30 We did not review 2 of the 13 implemented mitigation plans because they\ncontained classified material, and we determined that access to that material was not\nessential to our review.\n\n        31The ICP is not a separate office within the FBI. Except for OIC staff members\nwho manage the program full-time, the remaining work of the program is conducted by\nFBI employees and committees who do the work of the program in addition to their\nregular duties. In this report we attribute actions to the ICP to convey that various\nindividuals or entities are collectively performing the ICP\xe2\x80\x99s functions.\n\n        32   FBI Policy Directive 0002D, FBI Integrity and Compliance Program, June 25,\n2007.\n\n\nU.S. Department of Justice                                                           14\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cExecutive Management Committees.33 Of these potential risks, FBI\nexecutives selected 50 for analysis. The five Executive Assistant\nDirectors we interviewed described the way they identify risks within\ntheir branches as drawing on their own experience and expertise and\nconsulting with their Assistant Directors, who they also require to\nidentify risks within their divisions.\n\n       FBI executives told us that they use a variety of sources, as well as\ntheir general knowledge of their branches, to identify FBI-wide risks. Six\nof the 10 Assistant Directors we interviewed stated that they identify\nrisks, in part, by consulting their staff members and talking to their\nemployees who work in field\ndivisions. For example, the          Compliance Risk of FBI Employees Following\n                                          Policy that Does Not Reflect Current\nAssistant Directors in charge                       Presidential Order\nof the Weapons of Mass\n                                    A Special Agent in Charge of a field office\nDestruction Directorate and         contacted a section chief in the Weapons of Mass\nOperational Technology              Destruction Directorate at FBI headquarters after\nDivision have employees             learning that a new presidential order made\nfrom their programs                 Immigration and Customs Enforcement the lead\nembedded in field divisions.        agency on weapons of mass destruction task\n                                    forces. The Assistant Director of the Directorate\nThe positions of these              told us he viewed this as a compliance risk for\nemployees allow them to             the FBI because if FBI employees adhered to the\nbecome aware of issues              superseded policy, which assumed that the FBI\naffecting the field and also to     was the lead agency, they could be out of\nreport the concerns they            compliance with the presidential order. He\n                                    raised the issue to the Executive Assistant\nidentify to supervisors or          Director of the National Security Branch.\ncompliance officers at\nheadquarters. One Assistant Director told us that his Division\nCompliance officer solicits risks from his program coordinators in field\ndivisions and that any risks identified are \xe2\x80\x9crolled up\xe2\x80\x9d from the Unit\nChiefs to the Section Chiefs, and then to him and the Executive\nManagement Committees.34 He provided an example of a legal risk being\nidentified in the field (see text box).\n\n\n       33  Before Executive Management Committees review potential risks and\ndetermine whether they may be a concern for the FBI, the FBI considers them \xe2\x80\x9cpotential\nrisk indicators.\xe2\x80\x9d We generated this estimate of potential risk indicators from Executive\nManagement Committee meeting minutes, a list of risks identified at the inception of\nthe ICP, and from Leading Risk Indicator Reports from the beginning of the ICP through\nsummer 2010.\n\n       34  In 2007, the FBI appointed Division Compliance Officers within FBI\nheadquarters and each field office to provide a point of contact for each office in support\nof the ICP.\n\n\nU.S. Department of Justice                                                              15\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       To help in the identification of legal risks, the OIC provides Leading\nRisk Indicator Reports to FBI executives for those quarterly meetings in\nwhich they will select a new risk to analyze. These reports summarize\nthe risks pertaining to each branch that OIC staff members compile from\ntheir research of open source information, government reports, and new\nregulations, and from risks that individual FBI employees and employee\ngroups reported to the OIC. OIC staff members prepare separate reports\nfor each Executive Management Committee that summarize the legal\nrisks pertaining to each committee\xe2\x80\x99s subject area. We analyzed the\nsources identified in the reports the OIC prepared between 2008 and\n2010 and found that the OIC provided FBI executives risks to consider\nthat OIC staff identified from sources within and outside of the FBI.\n\nFBI managers of major programs are an additional source for risk\nidentification within their program areas.\n\n       FBI policy requires managers of the FBI\xe2\x80\x99s 53 major programs to\nidentify legal compliance risk within their program areas across\n20 divisions and all 5 of the FBI\xe2\x80\x99s functional branches.35 In the sample\nof bi-annual reports program managers submitted to the OIC in\nDecember 2010, we found that managers collectively identified\n112 program-level legal compliance risks. Program managers from all\nbut 9 of the 53 programs submitted reports detailing their identified\nrisks. The OIC exempted one program in the Administrative Branch from\nreporting because it had been recently added to the FBI\xe2\x80\x99s major program\nlist and two programs in the Science and Technology Branch because\ntheir managers were assisting with mitigating FBI-wide risks. Six other\nprograms did not submit reports. In such instances, the OIC follows up\nwith the program managers and directs managers to identify and submit\nrisks \xe2\x80\x9cin accordance with FBI policy\xe2\x80\x9d in their next bi-annual reports.\n\nIdentifying risks has increased senior management\xe2\x80\x99s understanding of\nthe FBI\xe2\x80\x99s vulnerabilities.\n\n      Senior FBI executives we interviewed stated that the ICP facilitates\nthe identification of weaknesses that could result in non-compliance.\nFor example, in our interview with the FBI Director, he noted that in the\nFBI, there is a tendency to concentrate on the agency\xe2\x80\x99s mission, to keep\nmoving full-speed ahead, and consequently the FBI does not always\nfocus on the potential risks. He said that a benefit of the ICP has been\n\n\n       35FBI Policy Directive 0126D, Application of the Integrity and Compliance\nProgram to FBI Program Management, October 24, 2008.\n\n\nU.S. Department of Justice                                                         16\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cthat it identifies \xe2\x80\x9cgaps and vulnerabilities\xe2\x80\x9d and that the ICP has equipped\nhim with more knowledge about the compliance threats facing the FBI\nand given him more confidence that there is follow-up on issues that are\nidentified. The FBI\xe2\x80\x99s General Counsel stated that an organized,\nmethodical way of looking at risk is new in the FBI and that the FBI\xe2\x80\x99s\nculture is to not talk about problems, but rather to solve them yourself.\nShe stated that the ICP prompted a change in culture because executives\nare now willing to say, \xe2\x80\x9cWe have a problem with \xe2\x80\x98x.\xe2\x80\x99 \xe2\x80\x9d A program manager\nreiterated this view in response to our survey, stating \xe2\x80\x9cthe process\nprovides for a logical analysis of legal compliance gaps.\xe2\x80\x9d\n\nThrough the ICP, the FBI has started to reduce legal compliance risk\nby conducting risk analyses and by developing and implementing\nmitigation plans.\n\n       With the development of risk analyses and mitigation plans at both\nthe FBI-wide and program levels, and implementation of those plans, the\nFBI has started to reduce legal compliance risks. According to the FBI,\nthe ICP developed 26 total risk mitigation plans to address identified\nrisks. Since its inception, the ICP has fully implemented 13 of the\n26 mitigation plans for FBI-wide risks, and 3 of the plans have fully\nmitigated the compliance risk identified.36 We determined that the\nprocess the ICP used to develop mitigation plans at this level addressed\nthe areas of compliance risk that the Red Teams identified in their risk\nanalyses and involved relevant stakeholders. At the program level, our\nreview of the reports that program managers submitted to the OIC\ncovering mitigation work completed or initiated between December 2009\nand July 2010 found that mitigation plans had been implemented for\n102 risks and that OIC staff members had determined 16 of those risks\nto be closed and fully mitigated.\n\n     The following sections discuss the FBI\xe2\x80\x99s efforts to reduce legal\ncompliance risk through the ICP in more detail.\n\nAt the FBI-wide level, the ICP has started to reduce the risk of legal non\xc2\xad\ncompliance by implementing mitigation plans.\n\n      The ICP mitigated the compliance risk identified in three FBI-wide\nareas. On the basis of two completed FBI Inspection Division audits that\nfound the risks to be mitigated as well as one OIG audit, we conclude\n\n\n       36 Our review only addressed the 13 plans that had been fully implemented at\nthe time of our fieldwork.\n\n\nU.S. Department of Justice                                                        17\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cthat the FBI has reduced legal compliance risks in three areas. As an\nexample, below we summarize one of three risks identified, the mitigation\nsteps taken, and the results of the audit of the mitigation steps.\n\n       An analysis team evaluated various areas of vulnerability in the\n       collection of and access to DNA information. One conclusion was\n       that the delay in collecting, analyzing, and uploading DNA samples\n       from federal convicted offenders, federal arrestees, and non-U.S.\n       detainees to the Combined DNA Index System could lead to\n       congressional inquiries, public criticism, and litigation from crime\n       victims. The mitigation team developed a mitigation plan, dated\n       January 24, 2008, to eliminate the existing Federal Convicted\n       Offender Program backlog and minimize the probability of future\n       backlogs by hiring additional staff and acquiring additional\n       laboratory space and equipment. An OIG audit found that the FBI\n       successfully eliminated this backlog and reduced the compliance\n       risk in this area.37\n\n      The ICP did not fully mitigate the identified risk in two FBI-wide\nareas. FBI Inspection Division audits of two other implemented\nmitigation plans found that the risks identified had not been fully\nmitigated. In response, as of August 2011, the ICP was developing and\nimplementing corrective action plans as required by FBI policy. FBI\npolicy states that that Integrity and Compliance Council members \xe2\x80\x9cshall\nreview and assess the results of audits performed in connection with the\nICP to determine whether additional corrective measures should be\nemployed and make related recommendations.\xe2\x80\x9d38 As an example, below\nwe summarize one of the two risks identified, the mitigation steps taken,\nand the results of the audit of the mitigation steps.\n\n       FBI Special Agents can use administrative subpoenas to obtain\n       information to support investigations involving controlled\n       substances or the sexual exploitation or abuse of children. The\n       ICP found that the process for obtaining administrative subpoenas\n       allowed agents to use them for other types of investigations and\n       that the FBI did not have a way to track the overall number of\n       administrative subpoenas issued, as the Attorney General\xe2\x80\x99s\n\n       37 U.S. Department of Justice Office of the Inspector General, Audit of the\n\nFederal Bureau of Investigation\xe2\x80\x99s Convicted Offender, Arrestee, and Detainee DNA\nBacklog, Audit Report 11-39 (September 2011), 19-21.\n\n       38 FBI Policy Directive 0004D, FBI Integrity and Compliance Council Charter,\nJune 25, 2007.\n\n\nU.S. Department of Justice                                                            18\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       Guidelines require.39 To mitigate this risk, the ICP developed a\n       plan, dated October 11, 2007, to automate the form that agents\n       use to request administrative subpoenas. The automated form was\n       to include a built-in control that would limit the types of\n       investigations for which agents could obtain administrative\n       subpoenas. The automated system was also to track each request.\n\n      A March 2011 FBI Inspection Division audit of the mitigation steps\nfound that compliance concerns remained and, as a result, the audit\nmade 11 recommendations for further mitigation of the administrative\nsubpoena compliance risk. As of August 2011, the ICP was developing a\ncorrective action plan and expected to have a draft in early September\n2011.\n\n      For these two risks to be mitigated, the corrective action plans\nmust address the findings and recommendations of the audits and be\nimplemented. Because in one case the corrective action plan has not yet\nbeen implemented, and in the other case the plan has not yet been\ndeveloped, we conclude that these risks have not been fully mitigated.\n\n      Assessment is not yet possible for six FBI-wide risk areas. The ICP\nconsiders the mitigation plans for six risks to have been implemented.\nBut at the time of our review, the mitigation actions for these risks had\nnot been audited, and the changes were either not observable in the field\nor had not been implemented when we made our site visits. As a result,\nwe cannot conclude that these risks have been mitigated. As an\nexample, below we summarize one of these six risks and the mitigation\nactions proposed in the mitigation plan.\n\n       A confidential human source is an individual who provides\n       intelligence to the FBI on FBI investigative and national intelligence\n       priorities. A 2005 OIG report found instances of non-compliance\n       with Attorney General Guidelines in the FBI\xe2\x80\x99s use of confidential\n       human sources due to inadequate administrative support, failure\n       to hold supervisors accountable for compliance deficiencies and to\n       exercise effective oversight of agents using confidential informants,\n       inadequate training on appropriate methods to operate confidential\n       informants, and differences in FBI and Department informant\n\n\n\n       39 The Attorney General\xe2\x80\x99s Guidelines for Domestic FBI Operations state that the\nFBI should maintain a database or records system that permits a prompt retrieval of\nthe status and basis for each investigation.\n\n\nU.S. Department of Justice                                                         19\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       policies.40 Subsequent to the OIG report, the FBI formed analysis\n       teams to address confidential human sources-related compliance\n       risks. According to the FBI, as a result of the team findings,\n       mitigation efforts were implemented to improve policy, procedures,\n       and training affecting the control and use of confidential human\n       sources in accordance with the OIG report and the analysis team\n       recommendations.\n\n       We believe that if the ICP effectively implemented the actions as\ndescribed in the plans for the six risks that have not yet been audited, it\nis reasonable to expect that the actions will reduce compliance risk in\nthose areas. However, without verification that the actions were\nimplemented and effectively addressed the compliance risks, we cannot\nreach a conclusion that risks were fully mitigated.\n\n       The ICP\xe2\x80\x99s process for developing mitigation plans includes relevant\nstakeholders and has resulted in the development of comprehensive\nmitigation plans. Our review of the ICP\xe2\x80\x99s process for developing FBI-wide\nmitigation plans found that they involved the participation of relevant\nstakeholders and subject matter experts within and outside the FBI.41 In\naddition, the mitigation process sometimes led to the creation of inter-\nand intra-agency working groups so that the mitigation plans were\ndeveloped with the perspectives of the stakeholders and experts\nknowledgeable about the risk area. At least 3 FBI divisions participated\nin the mitigation of each FBI-wide risk, and in one case, 10 divisions\nparticipated. Two of the mitigation plans required the participation of\nmore than one Executive Management Committee to address a technical\naspect of the risk, one required an inter-agency working group, three\nrequired intra-agency working groups, and five required consultation and\ninvolvement with Department executive offices. The mitigation teams\nconsult with Department executive offices, such as the Office of\nLegislative Affairs if a mitigation plan proposes statutory changes or the\nCriminal Division if a mitigation plan proposes changes that fall within\nthat division\xe2\x80\x99s jurisdiction. FBI executives we interviewed stated that\nFBI-wide risk mitigation is effective and beneficial because it involves\ncollaboration across FBI functional areas. For example, the FBI\xe2\x80\x99s\nGeneral Counsel stated that through the ICP, everyone with a role comes\n\n\n       40U.S. Department of Justice Office of the Inspector General, The FBI\xe2\x80\x99s\nCompliance with the Attorney General\xe2\x80\x99s Investigative Guidelines (September 2005).\n\n       41   Mitigation plans are developed based on the findings of the Red Teams\xe2\x80\x99 risk\nanalyses.\n\n\nU.S. Department of Justice                                                            20\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0ctogether, and the ICP \xe2\x80\x9cgets [them] rowing in the same direction at the\nsame time.\xe2\x80\x9d\n\n      Our review of the mitigation plans also found that each contained\nelements to address relevant compliance weaknesses, as identified in the\nrisk analysis. Specifically, 9 of the 11 plans proposed changes to existing\nFBI policy or that new policy be drafted, and 10 of the 11 identified the\nneed for and recommended that existing training be modified or\nadditional training be developed and implemented. The plans also\nproposed significant changes in operations to reduce compliance risk,\nincluding the design and deployment of new software and equipment, as\nwell as changes to Department policy and federal legislation.\n\n      In addition to implementing mitigation plans for FBI-wide risks,\nthe ICP has also implemented 16 program-level risks. We discuss these\nbelow.\n\nAt the program level, the ICP implemented mitigation strategies for\n16 risks.\n\n       In our review of the reports that program managers submitted to\nthe OIC covering their program-level risk mitigation work completed or\ninitiated between December 2009 and July 2010, we found that program\nmanagers had identified a total of 112 risks.42 OIC staff determined that\n16 risks had been closed and fully mitigated and that program managers\nhad begun mitigating 86 additional risks. For the remaining 10 risks\nthat managers identified, mitigation procedures had not begun. Because\nthe ICP does not require independent verification of program-level\nmitigation actions to confirm that the actions were actually completed\nand effective, we cannot conclude that the actions reduced compliance\nrisk in these areas. However, as we explain in more detail below, we note\nthat the mitigation actions for 5 of the 16 risks that the OIC considered\nclosed established internal controls that we believe could reasonably be\nexpected to reduce the risk. In contrast, the remaining 11 risks did not\nprovide for any monitoring of the mitigation actions and thus provided\nless assurance of effectiveness.\n\n      The mitigation actions for five program-level risks included either an\ninternal audit or the implementation of an automated system that would\nreduce the likelihood of human error. We conclude that these controls\n\n       42  These are the risks mentioned in the reports we reviewed for one reporting\ncycle. If program-level risks were identified and mitigated in previous reports, they\nwould not be included in this total.\n\n\nU.S. Department of Justice                                                              21\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cappear reasonable to reduce compliance risk. As an example, below we\ndiscuss one of the five compliance risks and the controls program\nmanagers described in their report.\n\n       The Surveillance and Aviation Program mitigated a risk of non\xc2\xad\n       compliance with the Federal Aviation Administration\xe2\x80\x99s\n       requirements for pilot currency and safe aircraft operations. The\n       program mitigated the risk by adding three new elements to the\n       annual field division inspections that FBI instructor pilots conduct.\n       Specifically, instructor pilots examine divisions\xe2\x80\x99 compliance with\n       safety and security requirements, make sure pilots\xe2\x80\x99 training is up\n       to date, and verify that field divisions comply with all FBI aviation\n       procedures.\n\n       The OIC determined that 11 additional risks had been mitigated.\nFor all 11 risks reviewed, we found that none included the\nimplementation of a control or any kind of monitoring to help ensure\nongoing compliance, nor did the program assess the effectiveness of the\nmitigation actions. For example, the National Name Check Program,\nwhich disseminates information from FBI files to other federal agencies\nwhen requested, identified a risk that an inadvertent release of protected\ninformation might occur. To mitigate the risk, the program developed a\nstandard operating procedure. It also required all National Name Check\nProgram employees to attend annual training covering the guidelines for\ndisseminating certain information. However, other than the Quality\nAssurance Program that was already in place, which reviews about\n10 percent of outgoing work, no monitoring was put into place to see if\nthe training was successful or if the risk of inadvertent disclosure was\naddressed.\n\n      In some cases, there may be a monitoring mechanism in place, but\nin current practice existing monitoring or its results are not necessarily\nshared with the OIC. If the OIC is not aware of monitoring and the\nprogram does not report the results of monitoring efforts, there is still no\nway to ensure that the risk mitigation occurred and was effective.\nWithout some kind of monitoring of the risk and verification that the\nactions stated in the mitigation plan were actually performed and\nresulted in the needed changes, it is not possible to know whether the\nsteps were effective and actually reduced the risk.\n\n\n\n\nU.S. Department of Justice                                               22\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cThe OIC manages the FBI\xe2\x80\x99s ethics program and promotes reporting\nof compliance concerns.\n\n      The OIC supports the ICP\xe2\x80\x99s objective of reducing compliance risk\nby promoting the reporting of compliance and ethical concerns within the\nFBI. The OIC does this by managing the FBI\xe2\x80\x99s Ethics and Standards of\nConduct program (ethics program). The OIC also established human\nresource initiatives that encourage compliance and communication\nchannels for FBI employees to report compliance concerns.\n\nThe OIC maintains and has enhanced the FBI\xe2\x80\x99s ethics program.\n\n       In 2007, the FBI transferred responsibility for maintaining the\nethics program from the Office of General Counsel to the OIC. According\nto the 2008 State of the Integrity and Compliance Program report,\ncombining the ethics program with the OIC\xe2\x80\x99s compliance program allows\nthe FBI to better coordinate and build on the experience of the personnel\nin both programs.\n\n       The OIC enhanced the ethics program by creating new ethics\nvideos and creating and revising printed ethics information. The OIC\ncreated a video in 2008 to highlight the importance of the ICP that\nfeatures the FBI Director and is shown as part of the new employee and\nin-service ethics training. Additionally, the OIC developed a video\ndiscussing and reinforcing the FBI\xe2\x80\x99s core values.43 The OIC also created\nand distributed a brochure advising FBI employees to report compliance\nand ethics concerns to the OIC or the appropriate FBI headquarters\ndivision and revised the FBI Employee Ethics Handbook. OIC attorneys\nalso receive calls and e-mails regarding ethics questions and provide\nlegal opinions in response. For example, FBI employees contact the OIC\nfor guidance regarding travel and the acceptance of gifts. One OIC\nattorney stated that in 1 year, he received and responded to more than\n2,500 ethics questions.\n\n\n\n\n       43  FBI core values are (1) rigorous obedience to the Constitution of the United\nStates; (2) respect for the dignity of those we protect; (3) compassion; (4) fairness;\n(5) uncompromising personal integrity and institutional integrity; (6) accountability by\naccepting responsibility for our actions and decisions and the consequences of our\nactions and decisions; and (7) leadership, both personal and professional.\n\n\nU.S. Department of Justice                                                             23\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cThe FBI has established initiatives to encourage compliance and ethical\nbehavior within the FBI.\n\n       The FBI supported the ICP by establishing human resource\ninitiatives to encourage compliance and ethical behavior. In 2007, the\nFBI incorporated risk mitigation efforts into executive management\xe2\x80\x99s\nperformance appraisals. In February 2008, the FBI established a non-\nretaliation policy that specifically prohibits retaliation against employees\nfor reporting compliance concerns to support a work environment in\nwhich there is \xe2\x80\x9copen communication regarding compliance risks.\xe2\x80\x9d44 The\nFBI also established a Director\xe2\x80\x99s award to recognize outstanding\nemployee contributions to the ICP and a Compliance Helpline to facilitate\nreporting of compliance concerns. Finally, in 2009, the FBI added an\naddendum to all FBI employee performance appraisals reminding\nemployees to follow the guidelines outlined in the FBI Ethics and\nIntegrity Program Manual and, in order to receive an outstanding rating,\nto support an environment in which co-workers understand the\nimportance of and are comfortable raising compliance concerns.\n\n       To assess whether the FBI supported the intent of the ICP by not\nviolating the retaliation policy, we examined all complaints of retaliation\nby FBI employees between January 2007 and February 2011. We found\nthat in no case did an employee report a compliance concern to the OIC\nand later report retaliation for making that report.\n\n       To assess whether these initiatives were helping to encourage\ncompliance and ethical behavior, we assessed whether FBI employees\nwere aware of and receiving the Director\xe2\x80\x99s award the OIC established.\nWe found that as of August 2011, 40 FBI employees had received the\naward since 2008, when the OIC first awarded it. Of those 40 employees,\n35 were from headquarters and 5 were from the field divisions. During\nour field visits, we asked interviewees if they were aware of this award.\nWe found that only 13 percent (8 of the 64) of field division employees we\nasked were aware of the award. While this is understandable given that\nthe ICP has so far been a largely headquarters-centric program, as the\nICP is further implemented in field divisions, the FBI should raise\nawareness about this award to field division employees.\n\n    Finally, we assessed whether FBI employees were aware of the\nCompliance Helpline that the OIC created to facilitate the direct reporting\n\n       44 The FBI non-retaliation policy does not expand or contract any\n\xe2\x80\x9cwhistleblower\xe2\x80\x9d protection that may be available to FBI employees pursuant to 5 U.S.C.\n\xc2\xa7 2303 and Department of Justice regulations set out in 28 C.F.R. Part 27.\n\n\nU.S. Department of Justice                                                         24\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cof compliance concerns by FBI employees. While the OIC established\nand began receiving calls over the Compliance Helpline in September\n2008, we found that only 20 percent (14 of 70) of the field division\nemployees we asked were aware of it. As of October 2010, the OIC had\nreceived 47 Helpline calls from FBI employees, of which 22 were from\nfield division employees. Field division employees need to be aware of the\nHelpline\xe2\x80\x99s existence for it to be an effective way of reporting compliance\nconcerns.\n\nConclusions and Recommendation\n\n       The FBI, through the ICP, has started to implement legal\ncompliance risk reduction strategies within its operations and activities\nby identifying and mitigating risks before they become problems. As of\nAugust 2011, the ICP had identified 206 FBI-wide potential risk\nindicators and 112 program-level risks from a variety of sources,\nincluding FBI executives, program managers, employees, and open\nsource information such as newspaper articles and government oversight\nreports. The ICP implemented mitigation plans for 13 FBI-wide risks\nand, according to the reports that program managers submitted to the\nOIC, 16 program-level risks. As of August 2011, we conclude that the\nICP\xe2\x80\x99s implemented mitigation strategies reduced compliance risk in three\nFBI-wide risk areas.\n\n        The OIC also enhanced the ethics program by establishing\ninitiatives to encourage compliance and ethical behavior within the FBI.\nHowever, we found that only 20 percent (14 of 70) of the field division\nemployees we asked were aware of the Helpline the OIC established to\nfacilitate direct reporting of compliance concerns and that only\n13 percent (8 of the 64) of field division employees we asked were aware\nof the Director\xe2\x80\x99s award the OIC established to recognize contributions to\nthe ICP.\n\n      For the ICP to increase its effectiveness in encouraging compliance\nand reporting of compliance concerns, we recommend that the FBI:\n\n   1. Increase employee awareness of the Compliance Helpline and other\n      OIC human resource initiatives.\n\n\n\n\nU.S. Department of Justice                                             25\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cADDRESSING AREAS FOR IMPROVEMENT COULD ENHANCE THE\nICP\xe2\x80\x99S EFFECTIVENESS\n\n       The FBI could improve the ICP\xe2\x80\x99s effectiveness and\n       sustainability by addressing certain factors. We found\n       that FBI executives and managers no longer consistently\n       use the ICP\xe2\x80\x99s risk assessment methodology designed for\n       the ICP to evaluate identified risks, and the risk\n       assessment and selection process is unsystematic and\n       undocumented. In addition, at the program level, there\n       is no external verification that mitigation actions are\n       complete and effective.         Because of this lack of\n       monitoring, the FBI cannot be sure that the ICP has\n       successfully implemented the risk reduction strategies\n       for the selected risks. Also, the ICP has not yet been\n       fully implemented in field divisions, and as a result, field\n       divisions\xe2\x80\x99 role in risk identification and reporting to the\n       ICP is undeveloped. Finally, the OIC, which manages the\n       ICP, has not established a way to evaluate the program\xe2\x80\x99s\n       overall effectiveness or the effectiveness of its processes.\n       Without evaluation, the ICP cannot identify where\n       changes in the program should occur or ensure the\n       sustainability of the ICP.\n\n\n      We identified areas for improvement in the ICP at both the FBI-\nwide and program levels involving the use of its risk assessment\nmethodology, verification of risk mitigation strategies, and\nimplementation of the ICP in field divisions. We discuss the areas for\nimprovement and their impact on the effectiveness and sustainability of\nthe ICP in the following sections.\n\nFBI executives and managers are not using the ICP\xe2\x80\x99s risk\nassessment methodology, and the risk selection process is informal,\nunsystematic, and undocumented.\n\n       We found that executives and managers are making minimal use of\nthe risk assessment methodology the FBI developed to assist them in\napplying their professional judgment to the assessment and selection of\nrisks. The ICP does not require this tool to be used. The FBI based this\nmethodology on its research of best practices in corporate compliance\nprograms, and it reflects the factors the FBI deemed important in\nconsidering risks to be addressed through the ICP. To prioritize risks,\nparticipants calculate a numeric score for each risk based on the\n\nU.S. Department of Justice                                            26\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cfrequency of the activity, the probability of non-compliance, and the\nconsequence of non-compliance. The risk assessment methodology uses\nseven factors that we described in the background section of this report.\nThe first six factors help calculate the probability of non-compliance.\nThese factors are: complexity, internal risk indicators, external risk\nindicators, environment, workforce, and internal work process. The\nseventh factor, impact on privacy and civil liberties, helps determine the\nconsequence of the activity. Participants also consider potential for legal\naction and reputational harm to the FBI when calculating consequence.\n\n       At the FBI-wide level, we found that as of fall 2010, FBI executives\nno longer consistently used the risk assessment methodology. Instead,\nICP participants use their own, ad hoc criteria to prioritize risks.\nInterviewees from four of five Executive Management Committees told us\nthat they did not use the methodology at all, and that they assessed risk\nthrough informal discussion before and during the quarterly Executive\nManagement Committee meetings. Interviewees in the fifth Executive\nManagement Committee told us that certain members of their committee\nsometimes used the FBI\xe2\x80\x99s methodology.45 The criteria most of the\nexecutives used included overall impact or seriousness, protecting the\nreputation of the FBI, the availability of human resources to work on\nmitigating the risk, the probability of the risk\xe2\x80\x99s occurrence, the scope of\nthe risk, negative financial impact, asking \xe2\x80\x9cwhat happens if we do\nnothing,\xe2\x80\x9d and \xe2\x80\x9cwhat would we not want to read in the paper.\xe2\x80\x9d While\nthese are reasonable and important considerations \xe2\x80\x93 and many of them\nare incorporated into the risk assessment methodology \xe2\x80\x93 the FBI\xe2\x80\x99s\ncurrent practices do not ensure that managers will consider them\nconsistently. The Executive Management Committees\xe2\x80\x99 risk prioritization\nand selection are also not documented. While an attendee at each\nExecutive Management Committee meeting takes minutes that include\nupdates about the mitigation actions for risks undergoing mitigation, the\nminutes do not document how participants prioritized or selected risks\nfor analysis.\n\n      Similarly, at the program level, we found that program managers\xe2\x80\x99\nuse of the methodology was limited. Based on our survey results of\nprogram mangers, we concluded that program managers used their\nprofessional judgment alone to assess risk more often than the\nmethodology. Only 29 percent (13 out of 45) of the managers who\nresponded to our survey reported using the methodology or the criteria in\n\n\n        We interviewed 15 FBI executives, 3 from each of the 5 Executive\n       45\n\nManagement Committees.\n\n\nU.S. Department of Justice                                                 27\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cit to select risks when asked, \xe2\x80\x9cWhat do you use to determine the legal\ncompliance risk to mitigate?\xe2\x80\x9d The remaining 71 percent (32 out of 45)\ngave a variety of answers that did not coincide with use of the\nmethodology. While professional judgment is essential, its value to the\nprocess can be increased if it is focused through the FBI\xe2\x80\x99s risk\nassessment methodology. We found that program managers describe the\nrisks they have identified and their plans to mitigate them in written\nreports to the OIC, but these reports do not explain why they chose one\nrisk over another or document the relative significance of the risks.\nProgram risk identification relies primarily on written communication\nwith the OIC two times per year and does not require in-person contact\nbetween OIC staff members and managers. This sporadic involvement\nmay not allow for sufficient understanding among program managers of\nhow risks should be assessed and selected.\n\n       We believe that use of a risk methodology does not exclude the use\nof professional judgment and knowledge in making the assessment;\nrather, it enhances the use of professional judgment. Further, when FBI\nexecutives and managers do not use the risk assessment tool, they\ncannot demonstrate that they considered each risk against the factors\nthe FBI considers important. For example, one of the factors used in the\nmethodology to assess the significance of a risk\xe2\x80\x99s consequence is its\nimpact on privacy and civil liberties. In fact, FBI violations of privacy\nand civil liberties in its use of National Security Letter authority were\nwhat prompted the FBI to establish the ICP.46 However, only 33 percent\n(5 of 15) of the executives we interviewed said they considered this factor\nwhen they made their assessments. The other 10 may have also\nconsidered this factor, but they did not articulate that to us when we\nasked them what factors they considered when assessing risks. Using a\nformal methodology would give consistency to risk assessment and\nselection by ensuring that current and future participants consider the\ncriteria the FBI deems important when assessing risk. This is an\nimportant consideration because the ICP\xe2\x80\x99s participants are unlikely to\nremain constant due to turnover within the FBI and the FBI plans to\nexpand the ICP to include more FBI field division participation.\n\n\n\n\n       46 U.S. Department of Justice Office of the Inspector General, Review of the\nFederal Bureau of Investigation\xe2\x80\x99s Use of National Security Letters (March 9, 2007).\n\n\nU.S. Department of Justice                                                            28\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cThe ICP does not require external verification for major program\nmitigation efforts, and the OIC lacks the authority to require\nprogram-level participation\n\n       At the program level, we found that the ICP lacks a way to ensure\nthat risk reduction strategies are implemented and that they are effective\nat reducing compliance risks. First, program-level mitigation does not\ninclude any independent assessment of implemented strategies. Because\nof this lack of follow-through, the FBI cannot be sure that the mitigation\nsteps were implemented and that compliance risk was reduced. Second,\nOIC staff oversees the program-level risk mitigation, but does not have\nthe authority to require program managers to participate. We found that\nsix program managers did not participate as mandated by FBI policy.\n\n       In our sample of the reports that program managers submitted to\nthe OIC covering activities completed, ongoing, or initiated from January\nthrough June 2010, we found that no mitigation actions were verified by\nan independent group, such as the FBI Inspection Division, individuals\nfrom another division, or even the OIC. We saw 24 instances in the\nsample where OIC staff members asked program managers to provide\ninformation about audit, monitoring, or \xe2\x80\x9cperceived effectiveness\xe2\x80\x9d of risk\nmitigation efforts, indicating that the OIC intended to use information\nabout how well risk reduction strategies worked in its assessment.\nHowever, in no case did a program have an external verification to\nensure that the mitigation actions had been taken and to assess the\neffectiveness of those actions. Verification could be as simple as\nsomeone checking that the plan is implemented and operational, and\nthat the risk appears to be mitigated. Without this step, the ICP cannot\nensure that managers\xe2\x80\x99 mitigation actions are complete or effective.\n\n      While FBI policy mandates major program managers\xe2\x80\x99 participation\nin the ICP, we found that this did not always occur.47 Specifically, 6 of\n53 programs did not submit written reports to the OIC, as required. In\nthese instances, the OIC directed managers to identify and submit risks\n\xe2\x80\x9cin accordance with FBI policy\xe2\x80\x9d in their next bi-annual reports. OIC staff\nmembers manage program-level risk mitigation but do not have authority\nto require programs to participate. Assistant Directors could ensure that\nmanagers participate, but in our interviews only one of nine Assistant\nDirectors we asked about program-level risk mitigation told us that he\nwas aware of it, even though all nine were included in the distribution\n\n\n       47FBI Policy Directive 0126D, Application of the Integrity and Compliance\nProgram to FBI Program Management, October 24, 2008.\n\n\nU.S. Department of Justice                                                         29\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0clist for the reports about the risk mitigation activities. Moreover, the one\nAssistant Director who was aware of program-level risk mitigation\nquestioned its value.\n\n       We believe that success at the program level depends not only on\nthe work of program managers and OIC staff, but also the Assistant\nDirectors\xe2\x80\x99 involvement and buy-in. Unlike the FBI-wide level of risk\nidentification and mitigation, where senior executives meet quarterly with\nthe OIC and the progress about risks is reported monthly to the FBI\nDirector, at the program level, managers work more independently, often\nwithout any in-person interaction with OIC staff members. Program\nmanagers submit their reports to OIC staff members two times per year,\nand then the OIC staff review and provide feedback to the program\nmanagers. The Assistant Directors are included on the distribution lists\nfor the reports from program managers to the OIC and then from the OIC\nto program managers, but their participation is not required.\n\n      For program-level risk mitigation to be an effective tool for reducing\ncompliance risk, it should include verification that the mitigation actions\nwere taken and are effective. The verifications should examine the risk\nmitigation efforts and make a determination about whether compliance\nrisk was reduced. In addition, involving Assistant Directors would\nensure that they were aware of the risks their managers were addressing\nand that program managers prioritized program-level risk mitigation.\n\nThe ICP is not fully implemented in field divisions.\n\n       Although the majority of the ICP\xe2\x80\x99s risk identification and mitigation\nactivities currently take place at FBI headquarters, the OIC intends for\nfield division employees to play a role in identifying compliance concerns.\nThe ICP plans to establish field division compliance councils that will\nidentify and mitigate risks, and has established a Division Compliance\nOfficer position within field divisions to coordinate each field division\xe2\x80\x99s\ncouncil. However, the focus of the ICP thus far has been to implement\nthe program at headquarters, and no formal structure has been\nestablished yet to implement the ICP in FBI field divisions.\n\n       In response to the 2007 creation of the Division Compliance Officer\nposition, field divisions appointed officers, but as of fall 2010, the OIC\nhad not fully developed or utilized this position, and the OIC\xe2\x80\x99s Assistant\nDirector described it as \xe2\x80\x9ca latent role.\xe2\x80\x9d The three Division Compliance\nOfficers we interviewed in the field divisions we visited stated that they\ndid not yet perform any additional tasks because of that role. They told\nus that, as their divisions\xe2\x80\x99 Chief Division Counsels, they already\n\nU.S. Department of Justice                                                30\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cperformed most the duties that the Division Compliance Officer policy\nestablished, such as providing legal and ethics advice and ethics training\nto FBI employees.48 The one duty that these three Division Compliance\nOfficers did not currently perform was coordination with the OIC.\n\n        Additionally, as of August 2011 the ICP had not established a\nmethod to identify and mitigate compliance risks in field divisions. What\nwe observed in 2010 seemed largely unchanged from the OIC\xe2\x80\x99s\nassessment in 2008 when it wrote in the State of the Integrity and\nCompliance Program report that the \xe2\x80\x9ccompliance portion of the program\nis still relatively unheralded beyond headquarters.\xe2\x80\x9d We found that field\ndivision employees were more likely to report compliance concerns to\nofficials within their field divisions rather than to the OIC. During our\nsite visit interviews, field division employees told us that they preferred to\nhandle issues within their field divisions rather than to involve\nheadquarters. Seventy of the 75 field division employees we interviewed\ntold us that when they have a legal or a compliance-related question,\nthey seek assistance from their Chief Division Counsels first. All three\nfield Chief Division Counsels we interviewed (who also served as their\nfield divisions\xe2\x80\x99 Division Compliance Officers) indicated they would resolve\nissues within the field division if possible. While resolving issues at the\nlowest possible level is generally preferable, if potential legal compliance\nissues are not consistently reported to the OIC \xe2\x80\x93 even if they are solved at\nthe field division level \xe2\x80\x93 broader issues may not be recognized.\n\n       In August 2011 the OIC\xe2\x80\x99s Assistant Director submitted a draft\npolicy to the FBI\xe2\x80\x99s Corporate Policy Office that would formally implement\nthe ICP in field divisions. This policy would require each field division to\nestablish a compliance council that would be required to meet at least\ntwice a year. These councils would identify potential compliance risks\nand determine whether they constitute actual compliance risk within the\ndivision. For risks identified that pose a compliance risk within the\ndivision, the council would develop, implement, and track to completion\nmitigation plans. The council would inform the OIC of FBI-wide\ncompliance risks and risks that could affect multiple field divisions. This\npolicy would clarify the role of the Division Compliance Officer and\nrequire the Division Compliance Officer to be a field division senior\nmanager \xe2\x80\x9cnot lower than an Assistant Special Agent in Charge\xe2\x80\x9d because\n\xe2\x80\x9cfor the ICP to succeed in the field, the ICP point of contact needs to have\na certain level of authority.\xe2\x80\x9d Assistant Special Agents in Charge have\n\n\n       48In 47 of 56 of field offices the Chief Division Counsel serves as the Division\nCompliance Officer.\n\n\nU.S. Department of Justice                                                                31\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cmore authority than Chief Division Counsels. Although they will no\nlonger serve as Division Compliance Officers, the Chief Division Counsels\nwould continue to administer the field divisions\xe2\x80\x99 ethics program, provide\nlegal advice, and respond to compliance concerns. The Division\nCompliance Officer would lead the compliance council whose\nmembership would include the Chief Division Counsel and other field\ndivision staff.\n\n       Having input from field divisions will help the ICP have a complete\npicture of compliance risks in FBI operations. Ten of 15 FBI executives\nwe interviewed stated that field input to the ICP was important.49 One\nExecutive Assistant Director stated that he wanted \xe2\x80\x9crisks to come from\neveryone because there may be additional perspectives or perceived\nrisks.\xe2\x80\x9d Similarly, the FBI\xe2\x80\x99s General Counsel stated that she expected the\nICP would be getting field input because \xe2\x80\x9cwe operate in the field\xe2\x80\x9d and\n\xe2\x80\x9crisks exist in the field.\xe2\x80\x9d Because field division employees are more likely\nto report compliance concerns to officials within their field division rather\nthan to headquarters, the effectiveness of the ICP\xe2\x80\x99s efforts to ensure that\nrisks identified in the field are reported to the ICP depends on the\ndevelopment of the ICP in field divisions.\n\nThe OIC has not established a way to assess the ICP\xe2\x80\x99s overall\neffectiveness or to measure progress toward achievement of ICP\ngoals.\n\n       While the OIC is responsible for assessing the ICP, it has not\nevaluated the effectiveness of the ICP\xe2\x80\x99s risk identification and mitigation\nefforts at either the FBI-wide or program level nor has it measured its\nprogress toward achievement of the ICP\xe2\x80\x99s goals since 2008. The OIC has\nnot created the annual report of the ICP\xe2\x80\x99s activities that FBI policy\nrequires since 2008, and it does not track the ICP\xe2\x80\x99s progress toward\nattaining the program\xe2\x80\x99s goals. The OIC\xe2\x80\x99s tool for measuring the FBI\xe2\x80\x99s\nculture of compliance does not substitute as a way to measure the\nperformance of the ICP. Without a way to assess the ICP and a way to\nmeasure progress toward accomplishment of the ICP\xe2\x80\x99s goals, the OIC\ncannot determine the ICP\xe2\x80\x99s effectiveness at reducing compliance risk or\nidentify where changes in the program should occur to ensure the\nsustainability of the ICP.\n\n      The 2008 report summarized the elements of the ICP, the goals of\nthe ICP, the steps the OIC took or planned to take to accomplish the\n\n       49  The other five executives may consider field input important but did not\nspecifically state that during interviews.\n\n\nU.S. Department of Justice                                                            32\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cICP\xe2\x80\x99s goals, and assessed how the ICP was doing so far.50 According to\nthe OIC\xe2\x80\x99s Assistant Director, the report was discontinued because it was\ntoo time consuming to write and duplicative of a monthly report that the\nOIC prepared for the FBI Director. This monthly report shows the status\nof all FBI-wide risks the ICP is mitigating, the degree to which the ICP\nhas implemented each mitigation plan, and whether it considers any part\nof the mitigation process to be delayed. However, the monthly report\ndoes not provide information about the status of program-level risks,\noverall accomplishments of the ICP, challenges to the ICP, or information\nabout whether the ICP is accomplishing its goals or future plans.\n\n       The OIC Assistant Director told us that the ICP uses responses to\nethics- and integrity-related questions on the FBI\xe2\x80\x99s employee survey to\nassess the FBI\xe2\x80\x99s culture of compliance (see Appendix V). While the\nsurvey data provides a useful assessment of the culture of compliance, it\ndoes not provide an adequate assessment of the ICP\xe2\x80\x99s performance.\nWhile the efforts of the ICP may contribute to the positive ethical climate\nand culture of compliance, the survey cannot distill what aspects of the\nculture of compliance are attributable to the ICP\xe2\x80\x99s efforts, as opposed to\nother activities in the FBI. It is not possible to know whether or to what\ndegree the ICP\xe2\x80\x99s activities have affected the culture based on the survey\nbecause the survey results have been consistently high year after year\nand were already high at the time of the creation of the ICP. An FBI\nsurvey analyst told us that the data over 3 years does not show any\nstatistically significant trends.\n\n       While it is difficult to objectively evaluate the ICP, we believe the\nOIC could evaluate the extent to which the ICP effected shifts in the FBI\xe2\x80\x99s\nculture of compliance and changes in how the FBI manages compliance\nrisk. A consolidated annual report similar to the FBI\xe2\x80\x99s 2008 State of the\nIntegrity and Compliance Program report would be a tool for FBI\nexecutives and OIC management to gauge the ICP\xe2\x80\x99s effectiveness; to\nreview progress toward completing planned activities, strengths of, and\nchallenges to the program; would increase awareness about the ICP; and\nwould show what impact the ICP has had on the FBI.\n\nConclusions and Recommendations\n\n      We identified areas for improvement in the ICP at both the FBI-\nwide and program levels that, if addressed, could enhance its\n\n\n       50The ICP goals are described as strategic shifts. These are summarized in\nAppendix IV.\n\n\nU.S. Department of Justice                                                          33\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0ceffectiveness and sustainability. We found that FBI executives and\nmanagers do not use the risk assessment methodology designed for the\nICP to evaluate identified risks and that risk assessment and selection is\nunsystematic and undocumented. The FBI cannot address all potential\nrisks simultaneously because each risk requires significant resources to\nanalyze and mitigate. Thus, it is important that the ICP produce a\ncommon understanding of risks\xe2\x80\x99 relative priority so that executives and\nmanagers select those potential risks that most closely align with the\ncriteria contained in the risk assessment methodology.\n\n       In addition, at the program level, the ICP does not have external\nverification nor is it able to ensure full participation by major programs.\nBecause of this lack of external verification and because there is a lack of\ninvolvement by officials with the authority to require program manager\nparticipation, the FBI cannot be sure that the ICP has successfully\nimplemented the mitigation actions for the selected risks.\n\n       Also, the OIC has not yet fully implemented the ICP in field\ndivisions, and as a result, field divisions\xe2\x80\x99 role in risk identification and\nreporting to the OIC is undeveloped. Finally, the OIC has not established\na way to evaluate the ICP\xe2\x80\x99s overall effectiveness or the effectiveness of its\nprocesses. Without this, the FBI cannot identify where changes in the\nICP should occur and ensure the sustainability of the program.\n\n      To ensure the sustainability and improve the effectiveness of the\nICP, we recommend that the FBI:\n\n   2. Consider using a formal methodology that includes specific criteria\n      that participants must consider when assessing and prioritizing\n      risk.\n\n   3. Increase Assistant Director involvement in program-level risk \n\n      mitigation. \n\n\n   4. Require program-level risks to include a verification step.\n\n   5. Comply with existing requirements for an annual report assessing\n      the effectiveness of the ICP, for example, a report that articulates\n      the program\xe2\x80\x99s goals, shows progress toward accomplishing them,\n      and identifies areas for improvement.\n\n\n\n\nU.S. Department of Justice                                                34\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c                 CONCLUSION AND RECOMMENDATIONS \n\n\n\n       We conclude that the FBI, through the ICP, has started to reduce\nthe FBI\xe2\x80\x99s risk of legal non-compliance and that the ICP has the potential\nto further reduce risk by identifying risks and making the operational\nand policy changes necessary to mitigate them before they become\nproblems. As of August 2011, the ICP\xe2\x80\x99s implemented mitigation\nstrategies reduced compliance risk in three FBI-wide risk areas. Further,\nthe ICP improved the FBI\xe2\x80\x99s ability to identify its potential compliance\nrisks by, for example, using a variety of sources to identify potential\nrisks. We believe that the concept of the FBI\xe2\x80\x99s OIC program has been\nbeneficial to its efforts to monitor and enhance compliance with legal\nrequirements, and that other agencies may wish to consider\nimplementing a similar kind of program. We found that the ICP\xe2\x80\x99s\nprocess for developing mitigation strategies resulted in comprehensive\nplans that, if implemented as described, we believe would reduce\ncompliance risk in those areas.\n\n       We identified several areas in the ICP that, if refined, could\nimprove the ICP\xe2\x80\x99s ability to reduce legal compliance risk and the ICP\xe2\x80\x99s\nsustainability. The OIC manages the FBI\xe2\x80\x99s ethics program and promotes\nreporting of compliance concerns, and has enhanced the program by\nestablishing new initiatives to encourage compliance and ethical behavior\nwithin the FBI. However, we found that only 20 percent (14 of 70) of the\nfield division employees we asked were aware of the Helpline the OIC\nestablished to facilitate direct reporting of compliance concerns. Only\n13 percent (8 of the 64) of field division employees we asked were aware\nof the Director\xe2\x80\x99s award the OIC established to recognize contributions to\nthe ICP. For these initiatives to be effective, FBI personnel must be\naware of them.\n\n       In addition, we found that FBI executives and managers do not use\nthe risk assessment methodology designed for the ICP to prioritize\nidentified risks and that risk prioritization and selection is informal,\nunsystematic, and undocumented. It is important for the ICP to produce\na common understanding of risks\xe2\x80\x99 relative priority so that executives and\nmanagers select, analyze, and mitigate those that most closely align with\nthe criteria contained in the risk assessment methodology.\n\n      Further, at the program level there is no external verification that\nmitigation actions were completed and were effective. Because of this\nlack of monitoring, the FBI cannot be sure that the ICP successfully\nimplemented the mitigation actions for the identified risks.\n\nU.S. Department of Justice                                               35\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       Also, the OIC has not yet fully implemented the ICP in field\ndivisions, and as a result, field divisions\xe2\x80\x99 role in risk identification and\nreporting to the OIC is undeveloped. Finally, the OIC has not established\na way to evaluate the ICP\xe2\x80\x99s overall effectiveness or the effectiveness of its\nprocesses. Without this, the FBI cannot identify where changes in the\nICP should occur and ensure the sustainability of the program.\n\n      To ensure the sustainability and improve the effectiveness of the\nICP, we recommend that the FBI:\n\n   1. Increase awareness of the Compliance Helpline and other OIC\n      human resource initiatives.\n\n   2. Consider using a formal methodology that includes specific criteria\n      that participants must consider when assessing and prioritizing\n      risk.\n\n   3. Increase Assistant Director involvement in program-level risk \n\n      mitigation. \n\n\n   4. Require program-level risks to include a verification step.\n\n   5. Comply with existing requirements for an annual report assessing\n      the effectiveness of the ICP, for example, a report that articulates\n      the program\xe2\x80\x99s goals, shows progress toward accomplishing them,\n      and identifies areas for improvement.\n\n\n\n\nU.S. Department of Justice                                                36\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c          APPENDIX I: FBI COMPLIANCE PROGRAM POLICIES \n\n\n\n   FBI Corporate\n                        Date Approved                           Summary\n       Policy\n                                            Establishes the Integrity and Compliance Program\n                                            and the Office of Integrity and Compliance and\nIntegrity and\n                                            describes their responsibilities. Additionally, it\nCompliance Program,      June 25, 2007\n                                            explains the roles of the Inspection Division and\n0002D\n                                            the Office of General Counsel in the Integrity and\n                                            Compliance Program.\nIntegrity and\n                                            Describes the membership of each Executive\nCompliance Executive\n                                            Management Committee, and the membership\xe2\x80\x99s\nManagement               June 25, 2007\n                                            roles and responsibilities in the Integrity and\nCommittees Charter,\n                                            Compliance Program.\n0003D\nIntegrity and                               Details the purpose of the Integrity and\nCompliance Council       June 25, 2007      Compliance Council, its members, and the\nCharter, 0004D                              members\xe2\x80\x99 roles and responsibilities.\n                                            States that each division must appoint a Division\n                                            Compliance Officer. This policy establishes that\nDivision Compliance\n                         October 1, 2007    the Division Compliance Officer, which is a\nOfficer, 0005D\n                                            collateral duty, is to provide a single point of\n                                            contact for each field division.\n\n                                            Integrates the Integrity and Compliance Program\n                                            into executive management performance\nExecutive Performance\n                                            appraisals. Specifically, it requires that FBI\nAppraisals -             October 1, 2007\n                                            executive management review and mitigate each of\nCompliance, 0006D\n                                            the number-one compliance risks identified by the\n                                            five Executive Management Committees.\n\n                                            States that FBI management shall train their\nNon-Retaliation for                         personnel on ways to report compliance risks. It\nReporting Compliance    February 11, 2008   also encourages employees to report compliance\nRisks, 0032D                                concerns, and prohibits retaliation against anyone\n                                            who reports them.\n\nApplication of the                          Identifies the FBI programs the Integrity and\nIntegrity and                               Compliance Program considers \xe2\x80\x9cmajor.\xe2\x80\x9d In\nCompliance Program      October 24, 2008    addition, this directive states that major programs\nto FBI Program                              must prioritize their top three risks and mitigate\nManagement, 0126D                           them one at a time in order of priority.\n\n                                            Describes the process the Office of Integrity and\nCompliance Risk\n                        October 24, 2008    Compliance must follow when compliance risks\nReferrals, 0136D\n                                            are reported.\n\n\n\n\nU.S. Department of Justice                                                                  37\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c             APPENDIX II: LIST OF FBI MAJOR PROGRAMS \n\n\n\n  1.   Facilities Management and Acquisition Program\n  2.   Fleet Management & Transportation Services Program\n  3.   Secure Work Environment Program\n  4.   Applicant Program\n  5.   Executive Development & Selection Program\n  6.   Healthcare/Medical Services Program\n  7.   Human Resource Information Systems Program\n  8.   Human Resources Management Program\n  9.   Freedom of Information Privacy Acts Program\n 10.   National Name Check Program\n 11.   Information Assurance Program\n 12.   Personnel Security Program\n 13.   Training Program\n 14.   Defensive Systems Program\n 15.   Civil Rights Program\n 16.   Gang/Criminal Enterprise Program\n 17.   Organized Crime Program\n 18.   Public Corruption/Civil Rights Program\n 19.   Undercover and Sensitive Ops Program\n 20.   Violent Crimes Program\n 21.   Financial Crimes Section/Health Care Fraud\n 22.   Critical Incident Response Program\n 23.   Surveillance and Aviation Program\n 24.   Computer Intrusion Program\n 25.   Cyber Crime Program\n 26.   Legat Attach\xc3\xa9 Program\n 27.   IT Engineering Program\n 28.   IT Management Program\n 29.   IT Services Program\n 30.   Knowledge Management Program\n 31.   Counterintelligence Program\n 32.   Domestic Terrorism Program\n 33.   International Terrorism Program\n 34.   Foreign Terrorist Tracking Taskforce Program\n 35.   Foreign Language Program\n 36.   Human Intelligence Program\n 37.   Intelligence Program\n 38.   Weapons of Mass Destruction\n 39.   Biometric Interoperability Program\n 40.   IAFIS/Interoperability Program\n 41.   Law Enforcement National Data Exchange Program\n\nU.S. Department of Justice                                  38\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c 42.   Next Generation Identification Program\n 43.   Biometrics (Biometric Center of Excellence) Program\n 44.   Combined DNA Index System Program\n 45.   Field Evidence Program\n 46.   Operational Response Program\n 47.   Advanced Electronic Surveillance and Search Program\n 48.   Digital Evidence Forensics Program\n 49.   Radio Program\n 50.   Specialized Support and Coordination Program\n 51.   Tactical Operations Program\n 52.   Technical Personnel and Defensive Program\n 53.   Video Physical Surveillance Program\n\n\n\n\nU.S. Department of Justice                                   39\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c         APPENDIX III: METHODOLOGY OF THE OIG REVIEW \n\n\n\n       We conducted in-person and telephone interviews of FBI personnel\nin the Washington, D.C., area, conducted site visits to interview field\ndivision personnel, and reviewed policies of the Integrity and Compliance\nProgram. We conducted document reviews, performed data analysis,\nobserved meetings of the Executive Management Committees, and\nattended an Ethics and Compliance Officers Association\xe2\x80\x99s annual\nconference. We also developed an e-mail survey for FBI program\nmangers.\n\nInterviews\n\n       We interviewed 118 FBI officials and staff members at\nheadquarters and field divisions, and 3 non-FBI personnel. The 37 FBI\nheadquarters-level interviews provided information on the overall\noperations of the ICP. Of the 118 interviews of FBI staff, 81 were\nconducted at field divisions and provided insight into the current level of\nfield involvement in and awareness of the ICP. We conducted the three\nnon-FBI interviews to learn about corporate compliance programs. See\nbelow for a list of officials interviewed during the review.\n\n Organization                         Interviewees by Position\n                FBI Director\n                Associate Deputy Director (former Executive Assistant Director,\n                Criminal, Cyber, Response and Services Branch)\n                Executive Assistant Director, National Security Branch\n                Executive Assistant Director, Science & Technology Branch\n                Executive Assistant Director, Information Technology Branch\n Integrity      Executive Assistant Director, Human Resources Branch\n and            General Counsel\n Compliance     Assistant Director, Criminal Investigative Division\n Council &\n                Assistant Director, Information Technology\n Executive\n Management     Assistant Director, Directorate of Intelligence\n Committee      Assistant Director, Critical Incident Response Group\n Participants   Assistant Director, Operational Technology Division\n                Assistant Director, Weapons of Mass Destruction Directorate\n                Assistant Director, Human Resources Division\n                Section Chief, Special Technologies and Applications Office\n                Chief Knowledge Officer\n                Deputy Assistant Director, Training Division\n\n\n\nU.S. Department of Justice                                                        40\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c Organization                         Interviewees by Position\n                Assistant Director, Office of Integrity and Compliance\n Office of      1 Unit Chief\n Integrity\n                9 Attorneys\n and\n Compliance     1 Supervisory Special Agent\n                2 Management Analysts\n                Assistant Director, Inspection Division\n Inspection     Deputy Assistant Director, Inspection Division\n Division       Section Chief, External Audit and Compliance, Inspection Division\n                Chief Inspector, Inspection Division\n Other FBI      Chair, Middle Management Committee\n Personnel      Unit Chief, Criminal Investigative Division\n                In the Knoxville Field Division, we interviewed the Special Agent in\n                Charge, the Chief Division Counsel (serves as the Division\n                Compliance Officer), and 17 other staff consisting of Assistant Special\n                Agents in Charge; Supervisory Special Agents; Special Agents;\n                Intelligence Analysts; Technical Information Specialists; a Support\n                Supervisor; and an Auditor.\n                In the Sacramento Field Division, we interviewed the Special Agent in\n                Charge, the Chief Division Counsel (serves as the Division\n                Compliance Officer), and 30 other staff consisting of Assistant Special\n Field\n                Agents in Charge; Supervisory Special Agents; Special Agents;\n Division\n                Intelligence Analysts; a Support Services Technician; a Supervisory\n Personnel\n                Administrative Specialist; a Victim Specialist; an Investigative\n                Operations Analyst; a Electronic Surveillance Technician; and an\n                Auditor.\n                In the Miami Field Division, we interviewed the Special Agent in\n                Charge, the Chief Division Counsel (serves as the Division\n                Compliance Officer), and 28 other staff consisting of Assistant Special\n                Agents in Charge; Supervisory Special Agents; Special Agents;\n                Intelligence Operations Specialists; a Supervisory Intelligence\n                Analyst; a Support Operations Specialist; and a Support Supervisor.\n                Chief Executive Officer, Society of Corporate Compliance and Ethics\n Non-FBI\n                Consultant to the FBI\xe2\x80\x99s Office of Integrity and Compliance\n Interviewees\n                Special Agent, Investigations Division, Office of the Inspector General\n\nSite Visits\n\n       To assess the perspectives of field employees, we conducted site\nvisits to the FBI\xe2\x80\x99s Knoxville, Miami, and Sacramento field divisions and\ninterviewed employees about identifying and reporting compliance risks.\nWe selected these field divisions based on a series of criteria, such as size\nof the office, type of investigation, and field office scores on FBI employee\nsurvey questions that the OIC added to assess the culture of compliance.\n\n\nU.S. Department of Justice                                                           41\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cDocument Reviews and Data Analyses\n\n       To determine the scope of the ICP and to understand how it\nfunctions, we reviewed policy directives governing the ICP, OIC\nbrochures, information about ICP awards, and who has received them,\nroutine directives from the OIC to field divisions, and FBI ethics\nmaterials. We also examined documentation from the ICP\xe2\x80\x99s risk\nidentification, mitigation, and audit process including Integrity and\nCompliance Council and Executive Management Committee meeting\nminutes; risk analyses, mitigation plans, and audits; and program-level\nreports. To gain information about the program-level process for\nassessing and selecting risk we surveyed program managers from the\nFBI\xe2\x80\x99s major program areas and performed qualitative analyses of their\nresponses. We also reviewed FBI\xe2\x80\x99s Inspection Division self-inspection\nreports for the FBI field divisions we visited to determine how these\nreports could be used in risk identification.\n\n       We analyzed Leading Risk Indicator Reports from 2008 through\n2010 to determine what sources the ICP used in identifying potential\nrisks, reviewed compliance concerns reported to the OIC via its Helpline\nand other sources to determine whether FBI employees were reporting\ncompliance concerns to the ICP, and compared reports of compliance\nconcerns against reports of retaliation to determine whether any\nemployee was retaliated against for reporting a compliance concern. We\nalso examined results from the FBI\xe2\x80\x99s 2007, 2008, and 2009 climate\nsurvey to assess whether a culture of compliance existed within the FBI.\n\n       To understand how program managers of the FBI\xe2\x80\x99s major programs\nparticipated in the ICP, we reviewed a sample of FBI program manager\nreports covering activities initiated or completed between December 2009\nand June 2010. These reports included information from 53 programs\nabout risks being identified and mitigated, and OIC feedback about the\ninformation program managers submitted.\n\nObservations\n\n      To see the ICP process firsthand, we observed meetings of three\nExecutive Management Committees in July 2010. In addition, we\nattended the Ethics and Compliance Officers Association\xe2\x80\x99s annual\nconference in September 2010 to gain a greater understanding of\ncorporate compliance programs upon which the FBI\xe2\x80\x99s ICP is based.\n\n\n\n\nU.S. Department of Justice                                              42\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cProgram Manager Survey\n\n       To learn more about how the ICP was implemented at the program\nlevel, we developed a nine-question e-mail survey for FBI program\nmanagers. The questions included the number of risks program\nmanagers had identified, the criteria used to identify risk, and ways the\nprogram benefitted them as well as any suggestions program managers\nhad regarding the ICP process. We distributed the survey to 54 FBI\nprogram managers or their designees in the FBI\xe2\x80\x99s 53 major programs,\nand 48 managers responded representing 49 programs.51\n\n\n\n\n       51Some major programs had more than one program manager, and six program\nmanagers that responded represented more than one program.\n\n\nU.S. Department of Justice                                                  43\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c    APPENDIX IV: FBI STRATEGIC SHIFTS ANTICIPATED BY OIC \n\n\n\n               The Strategic Shifts the OIC Anticipated from \n\n                        Implementation of the ICP \n\n     Pre-ICP Establishment                        Post-ICP Establishment\n                 Cultural Changes in Views About Compliance Risk\n                                 Compliance is viewed as integral to mission\nCompliance is viewed as an\n                                 accomplishment, and is incorporated into day-to\xc2\xad\nobstacle to mission\n                                 day operations, decision making and work\naccomplishment\n                                 processes\n                                 Employees know and understand laws and policies\nCompliance is a senior           of their work, ask questions, and report non\nleadership concern only          compliance\n                                 Managers teach employees rules\n                                 Employees comfortable with raising compliance\nNon-compliance is enforced       concerns\nthrough punitive measures        Managers do not retaliate for and act on reports of\n                                 non-compliance\n                                 Performance evaluation based on ability to identify\nPerformance evaluation based     programs, practices, and activities that may pose\non inspection and audit findings risks, determine causes of future failure points and\n                                 mitigate those risks\n                  Structural Changes in Managing Compliance Risk\nScope is periodic, limited to\n                                    Scope is continuous, enterprise-wide, and proactive\ncertain programs, and reactive\n                                    and forward looking\nand backward looking\nInternal communications are         Internal communications are proactive, enterprise-\nreactive, diffused, difficult to    wide, unified, easily accessible and top down and\nfind, top-down                      bottom-up\nRisk identification stove-piped\n                                    Risk identification and mitigation at all levels and\nand primarily located in\n                                    divisions\nInspection Division\nMitigation is ad hoc and reactive   Formal structure with oversight\n                                    Conducted by a cadre of full time compliance\nConducted as collateral duty\n                                    professionals\nResources are allocated in          Resource requests and allocations are driven by\nreaction to compliance issues       risk identification, prioritization and mitigation\n\nNote: The \xe2\x80\x9cstrategic shifts\xe2\x80\x9d are an articulation of the ICP\xe2\x80\x99s goals. These goals are\nchanges in the way the FBI views and manages compliance as a result of the ICP.\n\nSource: The FBI\xe2\x80\x99s 2008 State of the Integrity and Compliance Program report.\n\n\n\n\nU.S. Department of Justice                                                               44\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c           APPENDIX V: FBI EMPLOYEE SURVEY QUESTIONS \n\n\n\n                   Employee Survey Question                         2007    2008   2009\nFollowing the law is just as important as accomplishing the\n                                                                    4.54    4.56   4.73\nmission\nIf my supervisor tells me to ignore a minor procedure\nestablished by laws, regulations or policies, I assume he or she\n                                                                    3.91    3.95   4.09\nhas a good reason and will follow orders without asking for\nthose reasons\nSometimes it is necessary for me to ignore the literal\nrequirements of a law, regulation or policy to meet the FBI         4.02    4.09   4.11\nmission\nFBI employees who comprise the general workforce set a\npositive example for their peers and coworkers by adhering to       4.16    4.22   4.10\napplicable rules, regulations, and policies\nI am reluctant to report incidents of non-compliance with\napplicable rules, regulations, and policies due to the possible     3.84    3.90   3.90\nconsequences of reporting them\nIf I see someone else engaging in misconduct, I will report it to\n                                                                    4.07    4.06   4.09\nthe appropriate authorities\nFBI executive management has made clear that a commitment\n                                                                    4.08    4.12   4.20\nto ethics, integrity, and compliance is an institutional priority\nI am able to identify and communicate key risks within my            Not\n                                                                            3.98   4.00\narea of responsibility                                              asked\nThe importance of risk management and control has been\n                                                                     Not\ncommunicated to me through specific training, supervisor                    3.79   3.87\n                                                                    asked\ncommunications, and policy and practice in my squad or unit.\nI understand the level of risk I can take on behalf of the FBI\n                                                                     Not\ninvolving override or alteration of internal control procedures             3.66   3.73\n                                                                    asked\nor policies\nI can easily find authoritative, usable policy information          3.31    3.32   3.06\nManagement is receptive to all communications about risk,\n                                                                    3.12    3.58   3.60\nincluding bad news\nI believe FBI executive managers set a positive example for the\norganization by adhering to applicable rules, regulations, and      3.33    3.46   3.56\npolicies\n\nNote: Survey respondents answer each question depending on their level of agreement\nwith the statement on a scale of 1 (strongly disagree) through 5 (strongly agree).\nHowever, some questions are worded negatively; therefore, they are re-coded so that the\nhigher number is always better. The FBI then computed an average of responses to\ngenerate a score between 1 and 5.\nSource: FBI employee survey.\n\n\n\n\nU.S. Department of Justice                                                           45\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c              APPENDIX VI: FBI RESPONSE TO DRAFT REPORT \n\n\n\n\n                                                                     U.S. n "\'pa rl me nl o r ,I uslice\n\n                                                                     Federal Bure:tu of Investigation\n\n\n\n                                                                     1I". hm~\'mt,   D C .\'Qjjj\n                                                                       N()\\cmbcr 14. 2011\n\n\n\n\n      C)mhia A. SchncduT\n      Acting InspeclOr Gcm:rul\n      Ollice of the InspcclOr Genen,l\n      U.S. Dcpanrnent of Justice\n      Suite 4706\n      950 I\'ennsyhania Avenue. NW\n      Washington. D.C. 20530\n\n       Dear lI..ls. Schne(!:!r:\n\n                          The Federnl Il ure:tu of Ir1\\ e\'ltigation (I\' BI)   appr~\'ciates   the opportunil) to   reI   iell\n      nnd respond to your dmfl report 011 "\'1he Federal Bureau ()f            Investigation\'~    Integrit) und\n      Compliullee I\'rogrmn IIC I\' I.\xc2\xb7\xc2\xb7\n\n                           Compli:tnee II ith the Constitution. iudi\\ idu:ll and institutional integrit). :md\n      :teeountability arc core "llues or the 1\' 01. Further. it is our policy 10 comply full} \\ljth all laws\n      and rules governing our operations and 10 adhere to the highest ~tundards of cthical conduct. To\n      beller implcmem thm poli~y and ud":lIlee our Core Values. \\\\e establish~\'d Ihe ICP. Wl\' note that\n      tht\' report fou nd till\' Oniee of Integrit~ and Compliance has "enlmneed" the Fill\'s elhi~s program\n      and "promOtCS" reponing or compliance concerns. We ar~\' also pleased thai the n.:pon found thaI.\n      "It]hrough the [CI\'. Ihe FBI implemented slrategi<,s thm ho\\c sloned to reduce legal compliance\n      risk in FBI opcrmions.\'" The reporl Slates Ihat the IeI\' establishes n "syslellimic proccss tor risk\n      identi lic:llion\xc2\xb7\xc2\xb7 :tnd has impro\\ed FBI senior management\'s kno\\lledge or. and responS{.: 10.\n      eOll1pli,lIlce risks. We agree "ilh the repon Ihatthe implementation oflhe le i\' m;lrh\'d;l\n      "fundament,,1 change" in ho\\\\ the FB I identities and manages legal compliance risks bdorc the~\n      devclop into prohlcms. Wc ure proud til hale la[..en Ihis SICI) towa rds good govl.\'rn:lIlec.\n\n                        I\' ncloscd herein ;lfe Ihe FBI\'s responses to the rcporl\'s recommendations. Please\n      feel free 10 conl:tct me:tl 202-324\xc2\xb7(ilQ9 sh()uld )OU hale any questions or need fu nht\'r\n      infonllalion.\n\n                                                                    Sinc<;Tcly.\n\n\n\n\n                                                                    \'E~K~\'"~\n                                                                     As~isl:lIlt\n                                                                               Din;elOr\n                                                                     Office orJrnegrit} (md Compliance\n\n\n      Enclosure\n\n\n\n\nU.S. Department of Justice                                                                                                     46\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c                                        OIG Review of the FBI\'s\n                                   Integrity and Compliance Program\n\n        Recommendation #1 - Increase awareness or tbe Compliance Helpline and other OIC\n        buman resoun::e initiatives.\n\n        FBI Response to Recommendation #1:\n        The Office of Integrity and Compliance (OIC) concurs with this recommendation. In Fiscal\n        Year (FY) 12, OIC intends to develop and implement a plan to increase awareness ofthc\n        Compliance Helpline and other OIC human rcsourcc initiatives such as the Director\'s\n        Compliancc Award.\n\n        Recommendation #2 - Consider using a form al methodology that indudes specific criteria\n        tbat participant! must consider when assessing and prioritizing risk.\n\n        FBI Response to Recommendation #2:\n        OIC concurs with this recommendation. When OIC was formcd, a formal ris k assessment\n        methodology was developed as one of many tools to assist managemcnt in the identification of\n        potcntial risks. OIC still uses this risk methodology tool and periodically trains leadership on its\n        use to ensUIC Exccutive Management Committee (EMC) participants understand and consider\n        this criteria when assessing and prioritizing risk. During this past round of EMC meetings in\n        October and November of201 1, OIC providcd training to each committee on thc risk assessment\n        methodology. Thcsc criteria were identified as one tool which should be considered in\n        conjunction with a variety of other factors impacting the risk a.~sess mcnt and prioritization\n        process. These other factors include staffing limitations (on either OIC or on the risk owner),\n        resource limitations. and the risk owner\'s mission priorities. All of these ractors should be taken\n        into consideration when seleeting II risk. Using the corporate compliance sector as a model, OlC\n        believes that compliance is the business of each executive. Each FBI exeeutive is uniquely\n        positioned to understand and ap preciate his or her fisk areas and mission. Ultimately. OIC defers\n        to the executive in the selection of a potential risk for analysis.\n\n        Recommendation #3 - Increase Assistant Directof involvement in program-level ri.\'lk\n        mitigation.\n\n        FBI Response to Recommendation #3:\n        OIC concurs with this recommendation. Pursuant to FI31 Corporate Policy Di~tive 0126D, all\n        managers of major programs must submit their semi-annual compliance risk report "up to and\n        including the Assistant Director level and Ole." Pursuant to this Directive, OtC will remind\n        major program managers of this requirement in the coming year. During this most recent set of\n        quarterly EMC meetings, OIC provided training to each commince, to include Assistant\n        Directors. A component of this training addressed thc reporting requirement for major program\n        managers and reminded Assistant Directors of their rolt: in the process.\n\n        RecommendatioD #4 - Require program_level risks to include a verificatioD step.\n\n\n\n\nU.S. Department of Justice                                                                                     47\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c        FHI Response 10 Rl\'Cummendatinn IU\n        ole (\'{lnC UTS with this rccUIIlllll\'ndatiun. Stamng limitations, howevcr, constrain Ole\'s anility to\n        verify mitigation efforts for every risk reported by 53 major programs. In FY 12, ole will\n        establish 11 random ve rifi c<ltion process for Imtior progrmns and will require verificati on of\n        mitig<ltion efforts for a sampling of programs during each of the two reporting peri ods.\n\n        ReeOlnmcndatioll #S - Comply with l\'Xistin g requirements fOI" :111 a lUlUal l\xc2\xb7epOI"l assessi ng\n        the etTectjwness of the le p; fUI" I\':\\a mpl e, a I"1\'purt that articui:ltes the pl"ogr.lIu \'s gua ls,\n        s h ows pl"ogress tmnlrds accomplishin g them , and id entifies areas fur impJ"(wement.\n\n        t\xc2\xb7OI Rcspons(\' to ){\xc2\xabomlll(\'ndation #5:\n        ole (-onClm; with this recomm~ndation. It bears noling thaI at pr~senl , o le provides 11 monthly\n        compli<lnce updale Chat1 10 every senior ~xec uti ve within the FBI. ChI a q l~lrt erly basis, each\n        branch holds a mt"eling to discuss its compli,ulce risks. ole uses these meetings to provide\n        training, update on risks and to articulate program initiatives. ll1ree times per year, senior\n        executives meet with the Director ofthe FBI to discuss compliance risks. Similar to the\n        quarterly meetings. ole uses this medium as a way to provide updates on Ole initiatives and\n        risk anal ysis and mi tigation cfforts.\n\n\n\n\nU.S. Department of Justice                                                                                       48\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c           APPENDIX VII: OIG ANALYSIS OF FBI RESPONSE \n\n\n\n      The Office of the Inspector General provided a draft of this report to\nthe Federal Bureau of Investigation for its comment. The report\ncontained five recommendations for consideration. The FBI\xe2\x80\x99s response is\nincluded in Appendix VI to this report. The OIG\xe2\x80\x99s analysis of the FBI\xe2\x80\x99s\nresponse and the actions necessary to close the recommendations are\ndiscussed below.\n\nRecommendation 1. Increase awareness of the Compliance Helpline\nand other OIC human resource initiatives.\n\n       Status. Resolved \xe2\x80\x93 open.\n\n      Summary of the FBI Response. The FBI concurred with the\nrecommendation and stated that in fiscal year (FY) 2012, the OIC intends\nto develop and implement a plan to increase awareness of the\nCompliance Helpline and other OIC human resource initiatives such as\nthe Director\xe2\x80\x99s Compliance Award.\n\n       OIG Analysis. The actions taken and planned by the FBI are\nresponsive to our recommendation. By February 29, 2012, please\nprovide the OIG with a plan that describes the specific actions the OIC\nwill take to increase awareness of the Compliance Helpline and other OIC\nhuman resource initiatives, and the dates by which the OIC plans to\ncomplete those activities, or a status of your progress.\n\nRecommendation 2. Consider using a formal methodology that\nincludes specific criteria that participants must consider when\nassessing and prioritizing risk.\n\n       Status. Resolved \xe2\x80\x93 open.\n\n       Summary of the FBI Response. The FBI concurred with this\nrecommendation and stated that \xe2\x80\x9cwhen the OIC was formed, a formal\nrisk assessment methodology was developed as one of many tools to\nassist management in the identification of potential risks,\xe2\x80\x9d and that the\nOIC still uses this risk methodology tool. According to the FBI, the OIC\nprovided training on the methodology to Executive Management\nCommittee members during committee meetings in October and\nNovember 2011. The training presented the methodology as \xe2\x80\x9cone tool\nwhich should be considered in conjunction with a variety of other\n\n\nU.S. Department of Justice                                               49\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cfactors\xe2\x80\x9d such as staffing limitations, resource limitations, and the risk\nowner\xe2\x80\x99s mission priorities in assessing and prioritizing risk.\n\n       OIG Analysis. The actions taken by the FBI are responsive to our\nrecommendation. By February 29, 2012, please provide the OIG\ndocumentation of the October and November 2011 training, including\nthe training materials and a list of who attended.\n\nRecommendation 3. Increase Assistant Director involvement in\nprogram-level risk mitigation.\n\n       Status. Resolved \xe2\x80\x93 open.\n\n      Summary of the FBI Response. The FBI concurred with this\nrecommendation and noted that pursuant to FBI Corporate Policy\nDirective 0126D, \xe2\x80\x9call managers of major programs must submit their\nsemi-annual compliance risk report up to and including the Assistant\nDirector level and OIC.\xe2\x80\x9d The FBI also stated that the OIC will remind\nmajor program managers of this requirement in the coming year.\nFurther, the FBI stated that the most recent quarterly Executive\nManagement Committee meetings included training that \xe2\x80\x9caddressed the\nreporting requirement of major program managers and reminded\nAssistant Directors of their role in the process.\xe2\x80\x9d\n\n       OIG Analysis. The FBI\xe2\x80\x99s actions are responsive to our\nrecommendation. However, we note that so far, submitting the program\nmanager reports to the Assistant Directors has not resulted in sufficient\nAssistant Director involvement in program-level risk mitigation. By\nFebruary 29, 2012, please provide documentation of the reminders of the\nreporting and participation requirements given to Assistant Directors, a\ndescription of the role Assistant Directors will have in program-level risk\nmitigation, and the specific actions the FBI will take to increase their\ninvolvement. Additionally, please provide documentation that all major\nprograms required to participate in program-level risk mitigation did\nparticipate. If the OIC exempted any major programs, include the reason\nfor the exemption.\n\nRecommendation 4. Require program-level risks to include a\nverification step.\n\n       Status. Resolved \xe2\x80\x93 open.\n\n     Summary of the FBI Response. The FBI concurred with our\nrecommendation and stated that in FY 2012, the OIC will establish \xe2\x80\x9ca\n\nU.S. Department of Justice                                                  50\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0crandom verification process for major programs and will require\nverification of mitigation efforts for a sampling of programs during each\nof the two reporting periods.\xe2\x80\x9d The FBI added that because of staffing\nlimitations, the OIC will not be able to verify mitigation efforts for every\nrisk reported by 53 major programs in every cycle.\n\n      OIG Analysis. The FBI\xe2\x80\x99s actions are responsive to this\nrecommendation. By February 29, 2012, please provide a specific\ndescription of how the OIC will conduct its verification process to ensure\nthat each program is sampled every 2 years. In addition, please provide\nthe results of all the verifications that the OIC completes by February\n2012.\n\nRecommendation 5. Comply with existing requirements for an\nannual report assessing the effectiveness of the ICP, for example, a\nreport that articulates the program\xe2\x80\x99s goals, shows progress toward\naccomplishing them, and identifies areas for improvement.\n\n       Status. Resolved \xe2\x80\x93 open.\n\n       Summary of the FBI Response. The FBI concurred with our\nrecommendation. The FBI also noted several existing processes for\nupdating managers about current compliance efforts. These processes\ninclude the OIC providing a monthly compliance update chart to every\nsenior executive within the FBI; the use of Executive Management\nCommittee quarterly meetings for the OIC to provide training, update\nparticipants on risks, and articulate program initiatives; and that three\ntimes per year, senior executives meet with the Director of the FBI to\ndiscuss compliance risks.\n\n       OIG Analysis. Although the FBI concurred with our\nrecommendation, its response did not describe how it would respond to\nthe recommendation that it produce an annual report of the ICP\xe2\x80\x99s\neffectiveness. We note that while the monthly updates and discussions\nduring meetings that the FBI describes in its response are useful, they\nare not a replacement for an annual report that articulates the program\xe2\x80\x99s\ngoals, shows progress toward accomplishing them, and identifies\nchallenges and areas for improvement. By February 29, 2012, please\nprovide a description of the FBI\xe2\x80\x99s plan for satisfying the recommendation\nthat it produce an annual written report of the ICP\xe2\x80\x99s activities and\neffectiveness.\n\n\n\n\nU.S. Department of Justice                                                 51\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c'